Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Sep 2010 18:33:03 +0200
From:      Jan Henrik Sylvester <me@janh.de>
To:        stable-list freebsd <freebsd-stable@freebsd.org>
Subject:   GSSAPI (for OpenLDAP) on FreeBSD 8?
Message-ID:  <4C7E803F.1090606@janh.de>
next in thread | raw e-mail | index | archive | help 
I have got problems with GSSAPI authentication to OpenLDAP:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
error (80)
         additional info: SASL(-1): generic failure: GSSAPI Error:  No 
credentials were supplied, or the credentials were unavailable or 
inaccessible. (unknown mech-code 0 for mech unknown)

There were at least two discussions, multiple bug reports, and patches 
about broken GSSAPI on FreeBSD 8, the longest (I found) starting here: 
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html

After reading through these discussions, I do not know what the proper 
fix is -- I would like to change as little as possible introducing SASL 
authentication to a (production) OpenLDAP server.

I have got: An i386 kerberos server, a ldap server in a jail on i386, 
some amd64 clients -- all running 8.1-RELEASE. Eventually there need to 
be some Debian/Ubuntu clients using GSSAPI/SASL, too.

What do I need to "fix"? Just the ldap server? Is it enough to change 
the jail or does the host needs to be patches, too? Or do I need to fix 
the client, too? The kerberos server?

 From the discussion, multiple fixes were possible. Patching libgssapi 
and reinstalling everything depending on it (what?), installing the 
heimdal-1.0 port (while FreeBSD 8 comes with heimdal-1.1), installing an 
unofficial heimdal-1.2 port, ...

Is that correct? Anything new after the discussion in July?

 From the discussion, some patches should already be in 8-STABLE, but I 
could not find the revision (after 8.1-RELEASE).

If I upgraded the ldap jail to 8-STABLE, I guess the host needs to be 
updated, too. Hence I would prefer to just change ports or update single 
libraries.

Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the 
libgssapi patch? With the heimdal-1.2 port?

Thanks,
Jan Henrik

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C7E803F.1090606>