Problems with GSSAPI and LDAP

Juha Koho juha.koho at trineco.fi
Tue Oct 11 07:13:10 UTC 2016


Hello,

I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to 
set up a GSSAPI Kerberos authentication with the LDAP server but with 
little success. Seems no matter what I try I end up with the following 
error message:

dovecot: auth: Error: LDAP: binding failed (dn 
(imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide 
more information (No Kerberos credentials available (default cache: 
FILE:/tmp/dovecot.krb5.ccache))

I have set the import_environment in dovecot.conf:

import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS 
KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache

And these in LDAP configuration:

dn = imap/host.example.com at EXAMPLE.COM
sasl_bind = yes
sasl_mech = gssapi
sasl_realm = EXAMPLE.COM
sasl_authz_id = imap/host.example.com at EXAMPLE.COM

I have tried with different values in dn and sasl_authz_id and also 
leaving them out completely but I always end up with the error message 
above. Using simple bind without GSSAPI works just fine.

The credentials cache file exists and is valid for the principal 
imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user so 
it shouldn't be a permission problem either.

GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the 
connection attempt never reaches the LDAP server due to the error. I 
also have similar setup for Postfix and it works fine.

Any ideas what to try next?

Best regards,
Juha


More information about the dovecot mailing list