[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with OpenLDAP 2.1.4 and Kerberos

To: "Anthony Brock" <abrock@georgefox.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: Problems with OpenLDAP 2.1.4 and Kerberos
From: "Howard Chu" <hyc@symas.com>
Date: Thu, 19 Sep 2002 11:37:45 -0700
Importance: Normal
In-reply-to: <10E6C696E40B654AB7B5A934DB181F9A035453@foxmail.georgefox.edu>

The "-I" flag is superfluous for the GSSAPI mechanism, all the relevant
information comes from your Kerberos credentials.

Setting your debug level up to -1 may show you more about what SASL is doing,
I don't recall where the SASL log is directed at the moment.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Anthony Brock [mailto:abrock@georgefox.edu]
> Sent: Thursday, September 19, 2002 11:18 AM
> To: Howard Chu; openldap-software@OpenLDAP.org
> Subject: RE: Problems with OpenLDAP 2.1.4 and Kerberos
>
>
> Howard,
>
> I'm attempting to connect to an Active Directory LDAP server using the
> OpenLDAP software as a client. It works with basic authentication, but
> my problem has been when attempting to use Kerberos.
>
> I have this feeling that I'm missing something obvious. I just can seem
> to see what's the problem. When looking through the archives, it appears
> that others are at least asked for their identity when using the "-I"
> flag. I'm not even being asked, just told I had an error...
>
> I received following debug output when I specify the "-Y GSSAPI" flag:
>
> abrock@web ~ 516 $ kinit
> Password for abrock@CAMPUS.GEORGEFOX.EDU:
> abrock@web ~ 517 $ ldapsearch -H ldap://ads01.campus.georgefox.edu/ -I
> -b "OU=Staff,DC=campus,DC=georgefox,DC=edu" -d 255 -Y GSSAPI -LLL
> "SAMAccountName=abrock"
> ldap_create
> ldap_url_parse_ext(ldap://ads01.campus.georgefox.edu/)
> ldap_interactive_sasl_bind_s: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP ads01.campus.georgefox.edu:389
> ldap_new_socket: 4
> ldap_prepare_socket: 4
> ldap_connect_to_host: Trying XXX.XXX.XXX.XXX:389
> ldap_connect_timeout: fd: 4 tm: -1 async: 0
> ldap_ndelay_on: 4
> ldap_is_sock_ready: 4
> ldap_ndelay_off: 4
> ldap_perror
> ldap_sasl_interactive_bind_s: Local error (82)
> abrock@web ~ 518 $
>
> Tony
>
>
> Anthony Brock
> Director of Network Services
> George Fox University
>
> E-Mail: abrock@georgefox.edu
> Phone:  (503) 554-2579
> FAX:    (503) 554-3834
>
>
>
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Wednesday, September 18, 2002 4:41 PM
> To: Quanah Gibson-Mount; Anthony Brock; openldap-software@OpenLDAP.org
> Subject: RE: Problems with OpenLDAP 2.1.4 and Kerberos
>
>
> Unless your slapd is itself making requests to other kerberized
> services, it
> doesn't need any tickets of its own. Just the keytab.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
>

References:
- RE: Problems with OpenLDAP 2.1.4 and Kerberos
  - From: "Anthony Brock" <abrock@georgefox.edu>

Prev by Date: RE: Problems with OpenLDAP 2.1.4 and Kerberos
Next by Date: Re: nisDomain not a structural object class? (Or, fun with Solaris 8)
Index(es):
- Chronological
- Thread