MIT Kerberos V + OpenLDAPKerberos bind to openldapAble to issue kerberos ticke

1. MIT Kerberos V + OpenLDAP
2. Kerberos bind to openldap
3. Able to issue kerberos tickets to my users (with kinit exampluser)
4. Able to ldapsearch -x uid=exampluser
5.  
6. server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
7.  
8. ldap_start_tls: Protocol error (2)
9. additional info: unsupported extended operation
10. dn:
11. supportedSASLMechanisms: DIGEST-MD5
12. supportedSASLMechanisms: EXTERNAL
13. supportedSASLMechanisms: CRAM-MD5
14. supportedSASLMechanisms: NTLM
15. supportedSASLMechanisms: LOGIN
16. supportedSASLMechanisms: PLAIN
17.  
18. client% ldapsearch uid=exampleuser
19.  
20. SASL/GSSAPI authentication started
21. ldap_sasl_interactive_bind_s: Authentication method not supported (7)
22. additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
23.  
24. #
25. # LDAP Defaults
26. #
27.  
28. # See ldap.conf(5) for details
29. # This file should be world readable but not world writable.
30.  
31. BASE dc=example,dc=com
32. URI ldap://ldap.example.com
33. SASL_MECH GSSAPI
34.  
35. kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
36. kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
37.  
38. kadmin.local: listprincs
39. admin@EXAMPLE.COM
40. K/M@EXAMPLE.COM
41. krbtgt/EXAMPLE.COM@EXAMPLE.COM
42. kadmin/admin@EXAMPLE.COM
43. kadmin/changepw@EXAMPLE.COM
44. kadmin/history@EXAMPLE.COM
45. kadmin/kdc.example.com@EXAMPLE.COM
46. user1@example.com (also in the ldap, can issue a ticket and everything)
47. user2@example.com (same for him)
48. ldap/ldap.example.com@EXAMPLE.COM
49.  
50. # ktutil
51. ktutil: read_kt /etc/ldap.keytab
52. ktutil: list
53. slot KVNO Principal
54. ---- ---- ---------------------------------------------------------------------
55. 1 2 ldap/ldap.example.com@EXAMPLE.COM
56. 2 2 ldap/ldap.example.com@EXAMPLE.COM
57. 3 2 ldap/ldap.example.com@EXAMPLE.COM
58. 4 2 ldap/ldap.example.com@EXAMPLE.COM
59. ktutil: read_kt /etc/krb5.keytab
60. ktutil: list
61. slot KVNO Principal
62. ---- ---- ---------------------------------------------------------------------
63. 1 2 ldap/ldap.example.com@EXAMPLE.COM
64. 2 2 ldap/ldap.example.com@EXAMPLE.COM
65. 3 2 ldap/ldap.example.com@EXAMPLE.COM
66. 4 2 ldap/ldap.example.com@EXAMPLE.COM
67. 5 2 kadmin/kdc.example.com@EXAMPLE.COM
68. 6 2 kadmin/kdc.example.com@EXAMPLE.COM
69. 7 2 kadmin/kdc.example.com@EXAMPLE.COM
70. 8 2 kadmin/kdc.example.com@EXAMPLE.COM
71.  
72. mech_list: external gssapi plain
73. pwcheck_method: saslauthd
74.  
75. [Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
76. #
77. # LDAP Defaults
78. #
79.  
80. # See ldap.conf(5) for details
81. # This file should be world readable but not world writable.
82.  
83. BASE dc=example,dc=com
84. URI ldap://ldap.example.com
85. SASL_MECH GSSAPI
86. SASL_REALM EXAMPLE.COM
87.  
88. SASL/GSSAPI authentication started
89. SASL username: user@EXAMPLE.COM
90. SASL SSF: 112
91. SASL data security layer installed.
92. # extended LDIF
93. #
94. # LDAPv3
95. # base <dc=example,dc=com> (default) with scope subtree
96. # filter: uid=user
97. # requesting: ALL
98. #
99.  
100. client% ldapsearch uid=gleger
101. SASL/GSSAPI authentication started
102. ldap_sasl_interactive_bind_s: Local error (-2)
103. additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)