On 09/02/2010 13:50, Jeremy Chadwick wrote:
On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:
I have got problems with GSSAPI authentication to OpenLDAP:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
No credentials were supplied, or the credentials were unavailable or
inaccessible. (unknown mech-code 0 for mech unknown)
There were at least two discussions, multiple bug reports, and
patches about broken GSSAPI on FreeBSD 8, the longest (I found)
starting here:
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
After reading through these discussions, I do not know what the
proper fix is -- I would like to change as little as possible
introducing SASL authentication to a (production) OpenLDAP server.
I have got: An i386 kerberos server, a ldap server in a jail on
i386, some amd64 clients -- all running 8.1-RELEASE. Eventually
there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too.
What do I need to "fix"? Just the ldap server? Is it enough to
change the jail or does the host needs to be patches, too? Or do I
need to fix the client, too? The kerberos server?
From the discussion, multiple fixes were possible. Patching
libgssapi and reinstalling everything depending on it (what?),
installing the heimdal-1.0 port (while FreeBSD 8 comes with
heimdal-1.1), installing an unofficial heimdal-1.2 port, ...
Is that correct? Anything new after the discussion in July?
From the discussion, some patches should already be in 8-STABLE, but
I could not find the revision (after 8.1-RELEASE).
If I upgraded the ldap jail to 8-STABLE, I guess the host needs to
be updated, too. Hence I would prefer to just change ports or update
single libraries.
Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
libgssapi patch? With the heimdal-1.2 port?
Can you please try the patch I proposed and see if it improves your
situation? Thanks.
http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html
I had already tried the gss_release_buffer patch. It fixes that crash
doing the GSSAPI operation from i386 and brings i386 in par with amd64
-- to the error message I mentioned above.
I have also tried the change to /usr/bin/krb5-config before building
OpenLDAP -- with no effect, either.
I have not tried the "big" libgssapi patch from kern/147454 as I was
hoping to do a smaller change.
Cheers,
Jan Henrik
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
