Add GSSAPI to OpenLdap in supportedSASLMechanisms

sasl openldap gssapi ldapmodule

SOLVED

I was missing SASL_MECH GSSAPI and SASL_REAM in /etc/ldap/ldap.conf

[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://ldap.example.com    
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM

Now I can just ldapsearch uid=user directly with a kerberos ticket and get the

SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#

Of course, if I don't have a kerberos ticket (which makes sense)

client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)

You'll want to change your sasl configuration for slapd, usually /etc/sasl2/slapd.conf, to include gssapi.

For example:

mech_list: external gssapi plain
pwcheck_method: saslauthd

You'll need to restart slapd afterwards.

Related

Is there a way to change the java JRE a linux Jenkins server uses?
How can I determine what permissions my user is missing for receiving a ZFS dataset?
Azure firewall vs Azure network security group
gMSA account authentication failure during password rotation
Is Branch Cache worth considering as a replacement for DFS-R
Open Source / free choices for SFlow monitoring?
Setting up a forwarding-only email server
Web application to manage software distribution
Connection error to mysql database
LDAP authentication: Windows Server2k3 vs. 2k8
Mixing Subversion "SVNParentPath" and per-repository configurations?
Where do I place the WSGIPythonHome directive in the httpd.conf file?