[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Torrie

> Okay, I'm getting closer.  I'm able to do a kinit on my root@MYDOMAIN
> principal.  Then I run:
> ldapsearch -h myhost.mydomain.com -p 389 -I -b "" -s base -LLL
> supportedSASLMechanisms
> I get an error:
> ldap_sasl_interactive_bind_s: Unknown error
> 	additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure;
> Permission denied;
> This is better then the last error, which was the generic local error.

I suspect this is due to a missing keytab. As I recall, the LDAP service
expects to use "ldap/my.fqdn@realm" as the service name and an entry for
this principal must exist in the default keytab, and the keytab of course
must be readable by the user that slapd runs under. Since SASL has no way
of configuring a specific keytab to use, you must use the system's default,
which is typically /etc/krb5.keytab.

> I take it the ticket is being granted properly (according to the
> kerberos logs).  (minor point, the service ticket requested is not the
> fully-qualified domain name -- temporarily fixed by adding that to the
> krb database.)  However slapd is obviously not trusting the principal.
> What principal do I use?  My root principal, or the one I set up as the
> passwd in the slapd.conf file? Obviously I must tell slapd to accept
> some principal or principals.  Can anyone give me a pointer here. I
> already have my slapd.conf looking like so:
> rootdn          "cn=Manager,dc=...."
> rootpw {KERBEROS}ldapadmin@REALM
> So I want to use the ldapadmin principal with kinit, right?  That didn't
> seem to work either.

The rootpw config has nothing to do with SASL. In the 2.0.x release the only
valid DNs for a SASL bind are of the form "uid=<username> + realm=<realm>"
If you want "ldapadmin@REALM" to be treated as your server root then you
need to
	rootdn	"uid=ldapadmin + realm=REALM"
On a SASL bind your rootpw is irrelevant, since SASL will perform the
authentication using your kerberos ticket.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support