Add GSSAPI to OpenLdap in supportedSASLMechanisms
SOLVED
I was missing SASL_MECH GSSAPI
and SASL_REAM
in /etc/ldap/ldap.conf
[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://ldap.example.com
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM
Now I can just ldapsearch uid=user directly with a kerberos ticket and get the
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#
Of course, if I don't have a kerberos ticket (which makes sense)
client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)
You'll want to change your sasl configuration for slapd, usually /etc/sasl2/slapd.conf
, to include gssapi.
For example:
mech_list: external gssapi plain
pwcheck_method: saslauthd
You'll need to restart slapd afterwards.