On 11.10.2016 10:13, Juha Koho wrote:
Hello,
I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to set up a GSSAPI Kerberos authentication with the LDAP server but with little success. Seems no matter what I try I end up with the following error message:
dovecot: auth: Error: LDAP: binding failed (dn (imap/host.example.com@EXAMPLE.COM)): Local error, SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/dovecot.krb5.ccache))
I have set the import_environment in dovecot.conf:
import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
And these in LDAP configuration:
dn = imap/host.example.com@EXAMPLE.COM sasl_bind = yes sasl_mech = gssapi sasl_realm = EXAMPLE.COM sasl_authz_id = imap/host.example.com@EXAMPLE.COM
I have tried with different values in dn and sasl_authz_id and also leaving them out completely but I always end up with the error message above. Using simple bind without GSSAPI works just fine.
The credentials cache file exists and is valid for the principal imap/host.example.com@EXAMPLE.COM. The file is owned by dovecot user so it shouldn't be a permission problem either.
GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the connection attempt never reaches the LDAP server due to the error. I also have similar setup for Postfix and it works fine.
Any ideas what to try next?
Best regards, Juha
Can you provide klist output for the cache file? Also, it should be readable by dovenull user, or whatever is configured as default_login_user.
Aki