[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: openldap/sasl/krb5 authentication question:
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jeremy Hallum
> So, I'd like to do all of my authenticating via krb5 with
> openldap. I've
> been working on getting a kerberos service ticket from the kdc using
> GSSAPI, and I've finally had much success doing that.
> However, now, when
> I get the service ticket, I can't write to the database. I'm
> using stock
> patched Red Hat 9 across the board.
That's your first problem. RedHat 9 is not a stable platform, the "new"
thread support they shipped was not ready for Prime Time. If the kernel and
glibc are fully patched, it may work, but I haven't heard any success
stories.
> I'm using
> openldap-*-2.0.27-8
That's your next problem. Your config files are using OpenLDAP 2.1 syntax but
you're running a 2.0 binary. You ought to get the current 2.1 release
(2.1.25) instead - it will be more stable, faster, and will actually match
your configuration.
> cyrus-sasl-*-2.1.10-4
Yet another problem; OpenLDAP 2.0 doesn't support Cyrus SASL 2.1. RedHat
kludges around this issue by bundling both Cyrus SASL 1.5 and 2.1 in their
"2.1" RPM so you're actually getting Cyrus SASL 1.5, which is horribly buggy.
Generally I wouldn't use anything older than Cyrus SASL 2.1.15.
> krb5-*-1.2.7-14
One more problem - MIT Kerberos is not thread-safe and *will* crash when used
by slapd. Use Heimdal instead.
Say "Hi" to the folks for me. (I had your job, about 15 years ago...)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support