[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP+kerboros -> win2k AD

On Tue, 21 Aug 2001, Stephan Siano wrote:

> On Tuesday, 21. August 2001 14:57, you wrote:
> > I'm having troubles with setting up a Linux RedHat 7.1 machine as a
> > ldap-client using ldapsearch with kerberos autenthication for accessing
> > win2k Active Directory.
> >
> > I'we tried to search the archives for a solution for my problem but I
> > have't found one. I only know that it should be possible (at least
> > according to http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/14603).
> >
> > I'm using MIT Kerberos V which ought to be set up right while kinit gets a
> > tiket from the Windows KDC.
> >
> > Trying to use ldapsearch -k gives this error message:
> > ldap_bind: Not Supported
> >
> > The man pages only say that OpenLDAP needs to be compiled with kerberos
> > support for the -k option to work, but not how it should be done. I'we
> > compiled with --with-kerberos but it doesn't help. I can't really see that
> > it should be the win2k AD that doesn't support kerberos.
> --with-kerberos is Kerberos 4 (and AD kind of Kerberos 5). To make OpenLDAP 
> work with Kerberos 5 you need to compile LDAP with SASL-Support and install 
> the GSSAPI-SASL Mechanism on the machine. You also need a principal for 
> ldap/host@REALM and the appropriate keytab file on the LDAP-Server.

Ok, this makes sense. I'we installed GSSAPI-SASL but trying to compile
with sasl-support gives this error:

openldap-2.0.11# ./configure --with-cyrus-sasl --enable-spasswd --enable-kpasswd
Copyright 1998-2001 The OpenLDAP Foundation,  All Rights Reserved.
Restrictions apply, see COPYRIGHT and LICENSE files.
Configuring OpenLDAP 2.0.11-Release ...
checking for krb5.h... no
checking for krb.h... no
checking for des.h... no
checking for krb-archaeology.h... no
configure: error: Kerberos detection failed

Which package should these headers come with/which installation hasn't
been properly done? locate gives this:

openldap-2.0.11# locate krb5.h

Kerberos is as far as I can see properly set up while i get a ticket from
the win2k KDC.


Pontus Fred