Okay, I'm getting closer. I'm able to do a kinit on my root@MYDOMAIN
principal. Then I run:
ldapsearch -h myhost.mydomain.com -p 389 -I -b "" -s base -LLL
supportedSASLMechanisms
I get an error:
ldap_sasl_interactive_bind_s: Unknown error
additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure;
Permission denied;
This is better then the last error, which was the generic local error.
I take it the ticket is being granted properly (according to the
kerberos logs). (minor point, the service ticket requested is not the
fully-qualified domain name -- temporarily fixed by adding that to the
krb database.) However slapd is obviously not trusting the principal.
What principal do I use? My root principal, or the one I set up as the
passwd in the slapd.conf file? Obviously I must tell slapd to accept
some principal or principals. Can anyone give me a pointer here. I
already have my slapd.conf looking like so:
rootdn "cn=Manager,dc=...."
rootpw {KERBEROS}ldapadmin@REALM
So I want to use the ldapadmin principal with kinit, right? That didn't
seem to work either.
Michael
--
Public key available from http://students.cs.byu.edu/~torriem
Attachment:
signature.asc
Description: This is a digitally signed message part