[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

Okay, I'm getting closer.  I'm able to do a kinit on my root@MYDOMAIN
principal.  Then I run:

ldapsearch -h myhost.mydomain.com -p 389 -I -b "" -s base -LLL

I get an error:

ldap_sasl_interactive_bind_s: Unknown error
	additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure;
Permission denied;

This is better then the last error, which was the generic local error.

I take it the ticket is being granted properly (according to the
kerberos logs).  (minor point, the service ticket requested is not the
fully-qualified domain name -- temporarily fixed by adding that to the
krb database.)  However slapd is obviously not trusting the principal. 
What principal do I use?  My root principal, or the one I set up as the
passwd in the slapd.conf file? Obviously I must tell slapd to accept
some principal or principals.  Can anyone give me a pointer here. I
already have my slapd.conf looking like so:

rootdn          "cn=Manager,dc=...."
rootpw {KERBEROS}ldapadmin@REALM

So I want to use the ldapadmin principal with kinit, right?  That didn't
seem to work either.

Public key available from http://students.cs.byu.edu/~torriem

Attachment: signature.asc
Description: This is a digitally signed message part