# openldap and sasl

## Trebiani

hi! i know that there are some (quite long) threads about this issue but i can't find a clear solution! is there someone out there who knows how to install an open ldap server with sasl?

i followed this howto:

http://www.gentoo.org/doc/en/ldap-howto.xml

... and when it comes to the "ldapsearch ...." i get this error message:

ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)

        additional info: SASL(-13): user not found: no secret in database

when the slapd is startign i get this in /var/log/messages:

Jun 23 14:17:32 devel slapd[7345]: sql_select option missing

Jun 23 14:17:32 devel slapd[7345]: auxpropfunc error no mechanism available

Jun 23 14:17:32 devel slapd[7345]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Jun 23 14:17:32 devel slapd[7345]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)

i installed it (openldap and cyrus-sasl) multiple times.

i'm using the use flags: ldap and sasl

when i use ldapsearch .... -x everything is working like a charm!

which means that my ldap server is configured correctly - the problem must be inside sasl or my sasl configuration.

any ideas, hints?

used versions:

openldap 2.1.30-r1

cyrus-sasl 2.1.18

kernel 2.6.1-mm2

----------

## icewolf

1.) Install OpenSSL

```
thishost:> emerge openssl
```

2.) Configure OpenSSL

```
thishost:> openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
```

3.) Install Kerberos V

```
thishost:> emerge mit-krb5
```

4.) Configure Kerberos V

/etc/krb5.conf:

 *Quote:*   

> [libdefaults]
> 
>         ticket_lifetime = 600
> 
>         default_realm = EXAMPLE.COM
> ...

 

/etc/krb5kdc/kdc.conf:

 *Quote:*   

> [kdcdefaults]
> 
>         kdc_ports = 88,750
> 
> [realms]
> ...

 

```
thishost:> kdb5_util create -s

thishost:> kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"

thishost:> kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"

thishost:> rc-update add mit-krb5kdc default && /etc/init.d/mit-krb5kdc start

thishost:> rc-update add mit-krb5kadmind default && /etc/init.d/mit-krb5kadmind start

thishost:> kadmin.local -q "addprinc krbadm@EXAMPLE.COM"

thishost:> kadmin.local -q "addprinc ldapadm@EXAMPLE.COM"

thishost:> chmod a+r /etc/krb5.keytab
```

/etc/krb5kdc/kadm5.acl:

 *Quote:*   

> kadmin/admin@EXAMPLE.COM	*
> 
> <your username>@EXAMPLE.COM		*
> 
> krbadm@EXAMPLE.COM			*
> ...

 

5.) Install Cyrus SASL

```
thishost:> emerge cyrus-sasl
```

6.) Install OpenLDAP

```
thishost:> emerge openldap
```

7.) Configure OpenLDAP

/etc/openldap/ldap.conf:

 *Quote:*   

> BASE    dc=example, dc=com
> 
> URI     ldap://thishost.example.com ldaps://thishost.example.com

 

/etc/openldap/slapd.conf:

 *Quote:*   

> include                 /etc/openldap/schema/core.schema
> 
> include                 /etc/openldap/schema/cosine.schema
> 
> include                 /etc/openldap/schema/inetorgperson.schema
> ...

 

/etc/openldap/slapd.access:

 *Quote:*   

> access to *
> 
>         by dn="cn=admin,dc=example,dc=com" write
> 
>         by dn="uid=ldapadm.+\+realm=EXAMPLE\.COM" write
> ...

 

/etc/conf.d/slapd:

 *Quote:*   

> OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

 

```
thishost:> saslpasswd2 -c <your username>

thishost:> rc-update add slapd default && /etc/init.d/slapd start
```

example-com.ldif:

 *Quote:*   

> # Organization for Example Corporation
> 
> dn: dc=example,dc=com
> 
> objectClass: dcObject
> ...

 

```
thishost:> ldapadd -f example-com.ldif -x -D "cn=admin,dc=example,dc=com" -w secret
```

8.) Test the Installation

You should get something like:

```
thishost:> ldapsearch

SASL/GSSAPI authentication started

SASL username: admin/admin@EXAMPLE.COM

SASL SSF: 56

SASL installing layers

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: (objectclass=*)

# requesting: ALL

#

# example.com

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organization

dc: example

o: Example Corporation

# Andrew Findlay, example.com

dn: cn=Andrew Findlay,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: person

cn: Andrew Findlay

sn: Findlay

uid: u000997

userPassword:: uugbvtr

# admin, example.com

dn: cn=admin,dc=example,dc=com

objectClass: organizationalRole

cn: admin

description: Directory Manager

# search result

search: 5

result: 0 Success

# numResponses: 4

# numEntries: 3

thishost:>
```

 *Quote:*   

> 

 

----------

## Trebiani

still not working  :Sad: 

```
saslpasswd2 -c root 
```

gives me:

Jun 24 10:53:43 devel saslpasswd2: sql_select option missing

Jun 24 10:53:43 devel saslpasswd2: auxpropfunc error no mechanism available

Jun 24 10:53:43 devel saslpasswd2: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Jun 24 10:53:55 devel saslpasswd2: setpass succeeded for root

Jun 24 10:53:55 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

Jun 24 10:53:55 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

Jun 24 10:53:55 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

it is not the permission of the sasldb2 file. it exists and for debugging reason i tried ugo+rw

i got rid of the sql plugin error message with:

USE="-mysql -postgres" emerge cyrus-sasl

----------

## Trebiani

installed everything again!

now i'm getting:

devel root # ldapsearch

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Local error (82)

        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)

and saslpasswd2 -c root gives me (in /var/log/messages):

Jun 24 14:39:24 devel saslpasswd2: setpass succeeded for root

Jun 24 14:39:24 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

Jun 24 14:39:24 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

Jun 24 14:39:24 devel saslpasswd2: Couldn't delete entry in /etc/sasl2/sasldb2: gdbm_errno=15

any hints?

----------

## depontius

Two question:

1: You didn't configure or start SASLAUTHD. Did you forget to write about this step, was its configuration so simple and automatic that it was just done automagically, or is it not needed.

2: Are 'krbadm@example.com" and "ldamadm@example.com" both valid IDs, already established under Linux and in /etc/passwd, or are they some sort of virtual IDs that only exist inside Kerberos? I'm working toward a sealed server, and at the moment it only has one active userid besides root, and I'd prefer to keep it that way. I'm later planning on installing Cyrus-imapd because that allows me to keep the server sealed.

This is for an over-designed single-family home server and learning experience.

Dale Pontius

----------

## Trebiani

kadmin.local -q "addprinc root@MYDOMAIN.COM"

was a good idea. but now i get:

additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)

how can i add a Server into the database?

didn't i have granted the access for my server:

in my /etc/krb5kdc/kdc.conf

i have the line:

acl_file = /etc/krb5kdc/kadm5.acl

in there i have:

kadmin/admin@MYDOMAIN.COM *

user1@MYDOMAIN.COM *

root@MYDOMAIN.COM *

krbadm@MYDOMAIN.COM *

*/*@MYDOMAIN.COM i

----------

## icewolf

Hi!

The daemons i have started:

krb5kdc

kadmind

slapd

The users you should add are only (virtual) users for your kerberos server!

 *depontius wrote:*   

> Two question:
> 
> 1: You didn't configure or start SASLAUTHD. Did you forget to write about this step, was its configuration so simple and automatic that it was just done automagically, or is it not needed.
> 
> 2: Are 'krbadm@example.com" and "ldamadm@example.com" both valid IDs, already established under Linux and in /etc/passwd, or are they some sort of virtual IDs that only exist inside Kerberos? I'm working toward a sealed server, and at the moment it only has one active userid besides root, and I'd prefer to keep it that way. I'm later planning on installing Cyrus-imapd because that allows me to keep the server sealed.
> ...

 [list=][/list]

----------

## icewolf

Hi,

In the config file /etc/krb5.conf your are defining the realm MYDOMAIN.COM and under the section [domain_realm] you are defining the vaild substitutions for your dns domainname. if both LDAP-realms are the same then the problem is maybe you don't created the realm in kerberos database with following command:

```
thishost:> /usr/local/sbin/kdb5_util create -r MYDOMAIN.COM -s
```

 *Trebiani wrote:*   

> kadmin.local -q "addprinc root@MYDOMAIN.COM"
> 
> was a good idea. but now i get:
> 
> additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
> ...

 

----------

## Trebiani

When i do an ldapsearch i get these error messages:

devel krb5kdc # ldapsearch

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Local error (82)

        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)

/var/log/krb5kdc.log:

Jun 28 12:21:59 devel krb5kdc[19731](info): TGS_REQ (2 etypes {16 1}) 62.99.251.188: PROCESS_TGS: authtime 0,  <unknown client> for ldap/devel@MYDOMAIN.COM, Decrypt integrity check failed

Jun 28 12:21:59 devel krb5kdc[19731](info): TGS_REQ (2 etypes {16 1}) 62.99.251.188: PROCESS_TGS: authtime 0,  <unknown client> for ldap/devel@MYDOMAIN.COM, Decrypt integrity check failed

----------

## icewolf

There is little help available  :Wink: 

http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

 *Trebiani wrote:*   

> When i do an ldapsearch i get these error messages:
> 
> devel krb5kdc # ldapsearch
> 
> SASL/GSSAPI authentication started
> ...

 

----------

## gsurbey

There are three different free versions of Kerberos out there:

MIT Kerberos http://web.mit.edu/kerberos/www/

Shishi http://josefsson.org/shishi/

Heimdal http://www.pdc.kth.se/heimdal/

I suggest Heimdal because MIT spits out more cryptic unhelpful error messages than usual, the syntax makes less sense during configuration and maintenance, it doesn't seem like it's legal to export outside the United States, has less documentation on the net than Heimdal does, and not to mention it doesn't have that polished feel.  GNU Shishi looks very promising as a successor however it's in alpha stages at the moment.

Also be sure to check this very excellent and thorough HowTo out http://www.opentechnet.com/auth-howto/ar01s06.html

----------

