[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: newbie question - LDAP and Active Directory



On Fri, 10 May 2002, Andreas Hasenack wrote:
[quoting me on authentication via Kerberos]
> I tried this once, but it didn't work right "out of the box" and I let it
> go. ldapsearch was asking the w2k kdc for a ldap/hostname ticket, which
> the w2k machine didn't have. I assumed it was due to that authorization
> field that MS implemented and I didn't investigate it further.
>
> Are you saying that this actually works?

mhw:~$ kinit mwood@ADS.IU.EDU
Password for mwood@ADS.IU.EDU:
mhw:~$ ldapsearch -h ads.iu.edu -b "ou=Accounts,dc=ads,dc=iu,dc=edu" "(cn=mwood)" sn
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
version: 2

#
# filter: (cn=mwood)
# requesting: sn
#

# mwood, Accounts, ads, iu, edu
dn: CN=mwood,OU=Accounts,DC=ads,DC=iu,DC=edu
sn: Wood

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1
mhw:~$

'klist' shows that it picked up a ticket for ldap/dcname@REALM with no
trouble.  The NT PAC TDATA is significant only to Microsoft hosts, and
should just ride along with the rest of the ticket.  Nonstandard
extensions are what TDATAs are for.

I have this in /etc/krb5.conf :

[libdefaults]
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

and I no longer remember why.  It may be needed for interworking with MS
Kerberos.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".