[ https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16108551#comment-16108551 ]
Alex Duzsardi edited comment on DIRSERVER-2205 at 8/1/17 8:09 AM: ------------------------------------------------------------------ Sure , here it is {quote}[root@router log]# ldapsearch -d -1 -Y GSSAPI -H ldap://example.com:10389 -b "dc=security,dc=example,dc=com" "(uid=hnelson)" ldap_url_parse_ext(ldap://example.com:10389) ldap_create ldap_url_parse_ext(ldap://example.com:10389/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP example.com:10389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.2.15:10389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=example.com SASL/GSSAPI authentication started ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 01 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 01 42 00 0....B. ldap_free_connection: actually freed{quote} was (Author: aduzsardi): Sure , here it is {{[root@router log]# ldapsearch -d -1 -Y GSSAPI -H ldap://example.com:10389 -b "dc=security,dc=example,dc=com" "(uid=hnelson)" ldap_url_parse_ext(ldap://example.com:10389) ldap_create ldap_url_parse_ext(ldap://example.com:10389/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP example.com:10389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.2.15:10389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=example.com SASL/GSSAPI authentication started ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 01 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 01 42 00 0....B. ldap_free_connection: actually freed }} > ldap tools don't work with gssapi sasl > --------------------------------------- > > Key: DIRSERVER-2205 > URL: https://issues.apache.org/jira/browse/DIRSERVER-2205 > Project: Directory ApacheDS > Issue Type: Bug > Components: core > Affects Versions: 2.0.0-M24 > Environment: Linux Centos 7 x64 > ApacheDS 2.0.0-M4 > openJDK > krb5-workstation > openlda-clients > Reporter: Alex Duzsardi > > Hi, > I successfully installed ApacheDS , was able to start , configure the service > and set up kerberos authentication. > It work without problem from ApacheDS Studio , i can login with GSSAPI , but > can't say the same from local ldap tools (openldap-clients) > I can't get a tgt from the kerberos with kinit , i've exported the ldap > service principal using ktutil and saved it as /etc/krb5.keytab , configured > krb5.conf , configured ldap.conf . > hostnames are configured statically through /etc/hosts , actually only one > host as the server is also the client (LAN_IP example.com , > ldap/example....@example.com got exported with ktutil) > [root@example ~]# cat /etc/krb5.conf > [libdefaults] > default_realm = EXAMPLE.COM > # rdns = false > [realms] > EXAMPLE.COM = { > kdc = example.com:60088 > default_domain = EXAMPLE.COM > } > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > ------------------------------------------------------------------------ > [root@example ~]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 ldap/example....@example.com > [root@example ~]# > -------------------------------------------------------------------------------- > [root@example ~]# kinit hnelson > Password for hnel...@example.com: > [root@example ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: hnel...@example.com > Valid starting Expires Service principal > 07/31/2017 20:54:48 08/01/2017 20:54:38 krbtgt/example....@example.com > [root@example ~]# > {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 > -b "dc=example,dc=com" "(uid=hnelson)" > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Message stream > modified) > {color} -- This message was sent by Atlassian JIRA (v6.4.14#64029)