[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)

To: openldap-software@OpenLDAP.org
Subject: Re: Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)
From: Will Day <willday@rom.oit.gatech.edu>
Date: Thu, 22 Mar 2001 11:43:52 -0500
In-reply-to: <87bsrd1gb0.fsf_-_@papadoc.bayour.com>; from turbo@bayour.com on Wed, Mar 07, 2001 at 09:21:07PM +0100
References: <87bsrd1gb0.fsf_-_@papadoc.bayour.com>
User-agent: Mutt/1.1.2i

A short time ago, at a computer terminal far, far away, Turbo Fredriksson wrote:
>> My last job learned me a valuable lesson if nothing else. Document
>> all you do, so that you/someone else can do the same thing 'just
>> in case'.
>> 
>> I'll clean up my scribblings and write something for the OpenLDAP
>> Faq-o-matic about getting all this (OpenLDAP2, SSL/TLS, SASL and
>> KerberosV) to work together.
>
>I have the first draft at http://www.bayour.com/kerberos/Kerberos-MiniHOWTO.html.
>
>Please  review  it  and mail  me  any  comments  so all  this  'stupid

Thanks for putting this together.  I'm trying to help get something like
this set up here, I'm still working out some issues.

One question I had about what you mentioned on the webpage was about the
sasl gssapiv2 patch (#patch-sasl).  You mention:

   NOTE: According to a message on the openldap-software mailing list, this
   was fixed some time ago in the CVS version of Cyrus SASL. So make sure
   that you need the patch before applying it! The version of the file
   plugins/gssapi.c in the cyrus-sasl source directory should be greater
   than 1.39, that's when it was fixed. So if you have a version higher
   than 1.39 you don't need to patch Cyrus-SASL.

I wasn't sure how to find the version of the file I have (this is the
1.5.24 tar from the ftp site); I didn't see a version number in the
gssapi.c.  I pulled down the CVS image, and compared the gssapi.c there to
the one from 1.5.24, but didn't see either of the changes in the two gssapi
patches (gssapi.patch, gssapi2.patch), nor anything that seemed to (as far
as I could tell) address the "realm" issue.

Also, for the "ldap_sasl_interactive_bind_s: Local error" error, I ran into
the error in a different manner.  I wasn't specifying the FQDN hostname of
the LDAP server, and it was defaulting to "localhost", for which it
couldn't get a kerberos ticket. :)  You might want to include something
about that; it took me several hours before I figured out what the heck was
going on.

-- 
Will Day     <PGP mail preferred>     OIT / O&E / Technical Support
willday@rom.oit.gatech.edu            Georgia Tech, Atlanta 30332-0715
  -> Opinions expressed are mine alone and do not reflect OIT policy <-
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755

Attachment: pgpACGIOYHkL4.pgp
Description: PGP signature

Follow-Ups:
- Re: Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)
  - From: Norbert Klasen <klasen@zdv.uni-tuebingen.de>
- Re: Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

References:
- Small HOWTO about OpenLDAP2, SASL, Kerberos and SSL/TLS (Was: OpenLDAP2 and SASL/Kerberos)
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: referrals to foreign directory tree?
Next by Date: Re: Authentication with SMB+PAM
Index(es):
- Chronological
- Thread