Problems with GSSAPI and LDAP

Juha Koho juha.koho at trineco.fi
Tue Oct 11 07:43:59 UTC 2016 

On 2016-10-11 09:18, Aki Tuomi wrote:
> On 11.10.2016 10:13, Juha Koho wrote:
>> Hello,
>> 
>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
>> set up a GSSAPI Kerberos authentication with the LDAP server but with
>> little success. Seems no matter what I try I end up with the following
>> error message:
>> 
>> dovecot: auth: Error: LDAP: binding failed (dn
>> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
>> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>> provide more information (No Kerberos credentials available (default
>> cache: FILE:/tmp/dovecot.krb5.ccache))
>> 
>> I have set the import_environment in dovecot.conf:
>> 
>> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>> 
>> And these in LDAP configuration:
>> 
>> dn = imap/host.example.com at EXAMPLE.COM
>> sasl_bind = yes
>> sasl_mech = gssapi
>> sasl_realm = EXAMPLE.COM
>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>> 
>> I have tried with different values in dn and sasl_authz_id and also
>> leaving them out completely but I always end up with the error message
>> above. Using simple bind without GSSAPI works just fine.
>> 
>> The credentials cache file exists and is valid for the principal
>> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user
>> so it shouldn't be a permission problem either.
>> 
>> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
>> connection attempt never reaches the LDAP server due to the error. I
>> also have similar setup for Postfix and it works fine.
>> 
>> Any ideas what to try next?
>> 
>> Best regards,
>> Juha
> 
> Can you provide klist output for the cache file? Also, it should be
> readable by dovenull user, or whatever is configured as 
> default_login_user.


Here's the klist output of the cache file:
--
Ticket cache: FILE:/tmp/dovecot.krb5.ccache
Default principal: imap/host.example.com at EXAMPLE.COM

Valid starting       Expires              Service principal
10/11/2016 09:26:25  10/11/2016 21:26:25  krbtgt/EXAMPLE.COM at EXAMPLE.COM
         renew until 10/12/2016 09:26:25
---

That I didn't know that also dovenull must have access to the cache but 
I tried also setting 0644 permissions to the cache file with no luck. So 
permissions shouldn't be the issue...

Juha

More information about the dovecot mailing list