Problems with GSSAPI and LDAP

Aki Tuomi aki.tuomi at dovecot.fi
Tue Oct 11 07:18:32 UTC 2016


On 11.10.2016 10:13, Juha Koho wrote:
> Hello,
>
> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
> set up a GSSAPI Kerberos authentication with the LDAP server but with
> little success. Seems no matter what I try I end up with the following
> error message:
>
> dovecot: auth: Error: LDAP: binding failed (dn
> (imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
> failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (No Kerberos credentials available (default
> cache: FILE:/tmp/dovecot.krb5.ccache))
>
> I have set the import_environment in dovecot.conf:
>
> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS
> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache
>
> And these in LDAP configuration:
>
> dn = imap/host.example.com at EXAMPLE.COM
> sasl_bind = yes
> sasl_mech = gssapi
> sasl_realm = EXAMPLE.COM
> sasl_authz_id = imap/host.example.com at EXAMPLE.COM
>
> I have tried with different values in dn and sasl_authz_id and also
> leaving them out completely but I always end up with the error message
> above. Using simple bind without GSSAPI works just fine.
>
> The credentials cache file exists and is valid for the principal
> imap/host.example.com at EXAMPLE.COM. The file is owned by dovecot user
> so it shouldn't be a permission problem either.
>
> GSSAPI in OpenLDAP works but I suppose it is irrelevant here since the
> connection attempt never reaches the LDAP server due to the error. I
> also have similar setup for Postfix and it works fine.
>
> Any ideas what to try next?
>
> Best regards,
> Juha

Can you provide klist output for the cache file? Also, it should be
readable by dovenull user, or whatever is configured as default_login_user.

Aki


More information about the dovecot mailing list