Problems with GSSAPI and LDAP
Juha Koho
juha.koho at trineco.fi
Tue Oct 11 07:13:10 UTC 2016
Hello,
I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
set up a GSSAPI Kerberos authentication with the LDAP server but with
little success. Seems no matter what I try I end up with the following
error message:
dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (No Kerberos credentials available (default cache:
FILE:/tmp/dovecot.krb5.ccache))
I have set the import_environment in dovecot.conf:
import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
And these in LDAP configuration:
dn = imap/host.example.com at EXAMPLE.COM
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example.com at EXAMPLE.COM
I have tried with different values in dn and sasl_authz_id and also
leaving them out completely but I always end up with the error message
above. Using simple bind without GSSAPI works just fine.
The credentials cache file exists and is valid for the principal
imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user so
it shouldn't be a permission problem either.
GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
connection attempt never reaches the LDAP server due to the error. I
also have similar setup for Postfix and it works fine.
Any ideas what to try next?
Best regards,
Juha
More information about the dovecot
mailing list