Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Sep 2010 04:50:47 -0700
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        Jan Henrik Sylvester <me@janh.de>
Cc:        stable-list freebsd <freebsd-stable@freebsd.org>
Subject:   Re: GSSAPI (for OpenLDAP) on FreeBSD 8?
Message-ID:  <20100902115047.GA37856@icarus.home.lan>
In-Reply-To: <4C7E803F.1090606@janh.de>
References:  <4C7E803F.1090606@janh.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:
> I have got problems with GSSAPI authentication to OpenLDAP:
> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> error (80)
>         additional info: SASL(-1): generic failure: GSSAPI Error:
> No credentials were supplied, or the credentials were unavailable or
> inaccessible. (unknown mech-code 0 for mech unknown)
> 
> There were at least two discussions, multiple bug reports, and
> patches about broken GSSAPI on FreeBSD 8, the longest (I found)
> starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
> 
> After reading through these discussions, I do not know what the
> proper fix is -- I would like to change as little as possible
> introducing SASL authentication to a (production) OpenLDAP server.
> 
> I have got: An i386 kerberos server, a ldap server in a jail on
> i386, some amd64 clients -- all running 8.1-RELEASE. Eventually
> there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too.
> 
> What do I need to "fix"? Just the ldap server? Is it enough to
> change the jail or does the host needs to be patches, too? Or do I
> need to fix the client, too? The kerberos server?
> 
> From the discussion, multiple fixes were possible. Patching
> libgssapi and reinstalling everything depending on it (what?),
> installing the heimdal-1.0 port (while FreeBSD 8 comes with
> heimdal-1.1), installing an unofficial heimdal-1.2 port, ...
> 
> Is that correct? Anything new after the discussion in July?
> 
> From the discussion, some patches should already be in 8-STABLE, but
> I could not find the revision (after 8.1-RELEASE).
> 
> If I upgraded the ldap jail to 8-STABLE, I guess the host needs to
> be updated, too. Hence I would prefer to just change ports or update
> single libraries.
> 
> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
> libgssapi patch? With the heimdal-1.2 port?

Can you please try the patch I proposed and see if it improves your
situation?  Thanks.

http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100902115047.GA37856>