Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Feb 2011 21:46:55 +0200
From:      Vallo Kallaste <kalts@estpak.ee>
To:        Jan Henrik Sylvester <me@janh.de>
Cc:        questions-list freebsd <freebsd-questions@freebsd.org>
Subject:   Re: FreeBSD 8.2: state of Kerberos, GSS-API and (Cyrus) SASL?
Message-ID:  <20110203194655.GA26551@hape.internal>
In-Reply-To: <4D46E6A8.8040408@janh.de>
References:  <20110131154759.GA17485@hape.internal> <4D46E6A8.8040408@janh.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 31, 2011 at 05:43:20PM +0100, Jan Henrik Sylvester
<me@janh.de> wrote:

> I am struggling with exactly the same problem. Unfortunately, I got
> no reply on this list about it:
> 
> http://lists.freebsd.org/pipermail/freebsd-questions/2011-January/226495.html
> 
> If you get any further, please, tell me. I am thinking about
> reposting my question to a different list: stable as that is where
> the earlier discussions happened or ports as that seems more
> appropriate.
> 
Installed net/openldap24-server port defining WITH_SASL=YES and it
seems that SASL/GSSAPI authentication works:

[vallo@kdc2 ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_NoXXXX
        Principal: vallo@EXAMPLE.COM

  Issued           Expires          Principal
Feb  3 21:20:48  Feb  4 21:02:45  krbtgt/EXAMPLE.COM@EXAMPLE.COM
Feb  3 21:25:44  Feb  4 21:02:45  ldap/kdc2.internal@EXAMPLE.COM
[vallo@kdc2 ~]$ ldapsearch -Y GSSAPI -b '' -s base '(objectclass=*)' namingContexts
SASL/GSSAPI authentication started
SASL username: vallo@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=example,dc=com

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Slapd needs read access to /etc/krb5.keytab or separate keytab.
Keytab must contain ldap service account of course. This example was
done on the system the slapd runs on. Please let me know if you get
it working (or not).
-- 
Vallo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110203194655.GA26551>