[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9

To: "Quanah Gibson-Mount" <quanah@stanford.edu>, <openldap-software@openldap.org>
Subject: RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9
From: "Andrew Scott" <ascott@appriss.com>
Date: Tue, 17 Apr 2007 17:29:10 -0400
Content-class: urn:content-classes:message
In-reply-to: <502A45B46A2F9163930B2104@SW-90-717-287-3.stanford.edu>
References: <768690DD58883C4FAA0C089A534F94DF02739C18@intexch02.int.appriss.com> <502A45B46A2F9163930B2104@SW-90-717-287-3.stanford.edu>
Thread-index: AceBNjXm516YIh3WSIigdd0HX8kOfAAACfXw
Thread-topic: Building OpenLDAP 3.3.35 with Kerberos on SLES9

Confused is a very apt description of what I am right now.

I'm wading through the nightmare that is getting Linux machines to auth
with Kerberos to Active Directory, and using OpenLDAP to do user/group
lookups instead of Winbind.

I started down the road of getting Kerberos support compiled in because
ldapsearch would not auth using gssapi.  Sorting through all the
documentation, I found the -k option, and set about getting that to
work.

-k still doesn't work, because I didn't compile kbind in, but after
doing what I did below, I ended up with an ldapsearch that WOULD auth
via SASL/GSS.  Simply doing the default build left me with an ldapsearch
utility that I couldn't use to search AD.

Now, if there is a better way for me to get there than the way I went, I
would be absolutely delighted to be spun around and pointed in the
correct direction.

Thanks!
Andrew
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu] 
Sent: Tuesday, April 17, 2007 5:21 PM
To: Andrew Scott; openldap-software@openldap.org
Subject: Re: Building OpenLDAP 3.3.35 with Kerberos on SLES9

--On Tuesday, April 17, 2007 4:22 PM -0400 Andrew Scott 
<ascott@appriss.com> wrote:

>
>
> Hello all,
>
> I've been pulling hair out in tufts over the last week trying to get
> OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines
> (AMD64).  I've spent hours searching the mailing lists and Google.
All
> I could find were messages from several years ago admonishing people
for
> not searching, or questions with no answers.
>
> The biggest problem is the configure script completely ignores the
> -with-kerberos option.  Completely.  I've searched, and I can't
> find any mention of why this is.

I think you are extremely confused. :)

Why would you want to link OpenLDAP against the kerberos libraries? 
Usually all the kerberos negotations are handled via Cyrus-SASL, which
is 
what is linked against Heimdal (or MIT), not OpenLDAP.  There is *no* 
option in the configure for OpenLDAP 2.3.35 that references kerberos at
all:

ldap-uat00:/usr/local/build/openldap-2.3.35# ./configure --help | grep 
kerberos

What you are seeing are the remnants of the very old "kbind" stuff that
was 
never part of any LDAP standard, was really only related to LDAP v2, and

was completely replaced by the SASL/KERBEROSIV and SASL/GSSAPI
mechanisms 
handled by SASL.

Does that help? :)

--Quanah

--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Building OpenLDAP 3.3.35 with Kerberos on SLES9
  - From: "Andrew Scott" <ascott@appriss.com>
- Re: Building OpenLDAP 3.3.35 with Kerberos on SLES9
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Building OpenLDAP 3.3.35 with Kerberos on SLES9
Next by Date: RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9
Index(es):
- Chronological
- Thread