Using Kerberos Authentication in LDAP, GSSAPI issue

I’ve completed the installation of PrivacyIdea v3.8.1 and am trying to setup a new LDAP Resolver, using SASL Kerberos, to an existing OpenLDAP/Kerberos Authorization server that has all my users.

I’ve followed the concept: LDAP resolver with Kerberos auth (concept: LDAP resolver with Kerberos auth · privacyidea/privacyidea Wiki · GitHub)

This is the output from the gssapi install:-
(privacyidea) user@host:/opt/privacyidea$ sudo pip install gssapi
Collecting gssapi
Using cached gssapi-1.8.2.tar.gz (94 kB)
Installing build dependencies … done
Getting requirements to build wheel … done
Installing backend dependencies … done
Preparing metadata (pyproject.toml) … done
Collecting decorator
Downloading decorator-5.1.1-py3-none-any.whl (9.1 kB)
Building wheels for collected packages: gssapi
Building wheel for gssapi (pyproject.toml) … done
Created wheel for gssapi: filename=gssapi-1.8.2-cp310-cp310-linux_x86_64.whl size=2956233 sha256=7c8286e04af9101a78aafd88d507364b1e478547905e3cad7eaf5b725ce7e195
Stored in directory: /root/.cache/pip/wheels/59/a8/83/5017e55a50e766ad6874c236b60fdace4f8552a00a1ebc9474
Successfully built gssapi
Installing collected packages: decorator, gssapi
Successfully installed decorator-5.1.1 gssapi-1.8.2
WARNING: Running pip as the ‘root’ user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: 12. Virtual Environments and Packages — Python 3.11.2 documentation

Not sure if this is the cause of the issue, as the ‘Test LDAP Resolver’ is still reporting 'LDAPPackageUnavailableError(‘package gssapi missing’)

Any help would be greatly appreciated as I have run out of ideas.

Many thanks!

Hi @mattc

have you found a solution in the meantime?
I tried my hand at setting it up with Kerberos myself, but got stuck reading through the instructions when setting up PrivacyIdea.

I installed PI normally via the repos and not via python.

Does anyone know the actual steps needed to set up PrivacyIdea to use Kerberos instead of NTLM?

Would appreciate an updated step by step guide :slight_smile: