[Date Prev][Date Next] [Chronological] [Thread] [Top]

Accessing AD from ldapsearch/modify/etc

To: openldap-software@OpenLDAP.org
Subject: Accessing AD from ldapsearch/modify/etc
From: Al Lilianstrom <al.lilianstrom@fnal.gov>
Date: Tue, 26 Feb 2002 10:07:31 -0600

I've been using the openldap server for a couple of years. Now I've been
tasked with creating a way to add/modify users in our Windows 2000
domain from a OSF1 machine. A little bit of research and it looked like
openldap and Cyrus SASL would do the trick as the ldap server on AD
supports GSSAPI.

Here is what I've done:

Built (and tested sucessfully) and installed Cyrus SASL with GSSAPI
enabled
Built and installed openldap 2.0.21 with SASL enabled
Added the w2k kdc information to my /etc/krb5.conf
Got a ticket from the w2k KDC

Default principal: lilstrom-test@FERMITEST.WINTEST.FNAL.GOV

Valid starting     Expires            Service principal
02/26/02 07:30:30  02/26/02 17:30:30 
krbtgt/FERMITEST.WINTEST.FNAL.GOV@FERMITEST.WINTEST.FNAL.GOV
        Flags: FIA
02/26/02 07:30:30  02/26/02 17:30:30 
krbtgt/WINTEST.FNAL.GOV@FERMITEST.WINTEST.FNAL.GOV
        Flags: FA

I've also put my w2k dc BASE and URI information in
/etc/openldap/ldap.conf

I did a test with a simple bind to make sure I could talk to the DC

# ./ldapsearch -x -s base -b '' '(objectclass=*)'
supportedSASLMechanisms 
version: 2

#
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms 
#

#
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But if I try and do an authenticated search (tried interactive
authentication too) it fails.

# ./ldapsearch -d 255 -Y GSSAPI -X "dn:
CN=lilstrom-test,OU=Special,OU=Users,OU=CD,DC=fermitest,DC=wi
ntest,DC=fnal,DC=gov" -s base -b '' '(objectclass=*)'
supportedSASLMechanisms 
ldap_create
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: w2kdc2.fnal.gov
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 131.225.81.201:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=w2kdc2.fnal.gov
SASL/GSSAPI authentication started
ldap_perror
ldap_sasl_interactive_bind_s: Local error

All attempts fail with the same error.  I've tried various forms of my
dn for the -X parameter.

Any ideas on what I've overlooked or I'm doing wrong? I've been through
the archives without any success.

	tia, al
-- 

Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov

Prev by Date: # port with sasl
Next by Date: Compiling examples
Index(es):
- Chronological
- Thread