Add GSSAPI to OpenLdap in supportedSASLMechanisms

SOLVED

I was missing SASL_MECH GSSAPI and SASL_REAM in /etc/ldap/ldap.conf

[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://ldap.example.com    
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM

Now I can just ldapsearch uid=user directly with a kerberos ticket and get the

SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#

Of course, if I don't have a kerberos ticket (which makes sense)

client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)

You'll want to change your sasl configuration for slapd, usually /etc/sasl2/slapd.conf, to include gssapi.

For example:

mech_list: external gssapi plain
pwcheck_method: saslauthd

You'll need to restart slapd afterwards.