[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems access MS Active Directory from OpenLDAP 2.1.2

To: Anthony Brock <abrock@georgefox.edu>
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2
From: Al Lilianstrom <al.lilianstrom@fnal.gov>
Date: Wed, 10 Jul 2002 06:41:40 -0500
Cc: openldap-software@OpenLDAP.org
References: <5.1.0.14.2.20020709155317.02bd74e8@localhost>

Anthony Brock wrote:
> 
> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
> 
> # kinit UnixAdmin
> Password for UnixAdmin@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: UnixAdmin@TEST1.GEORGEFOX.COM
> 
> Valid starting     Expires            Service principal
> 07/09/02 15:56:53  07/10/02
> 01:56:53  krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
> 
> Any ideas on solving the problem? So far, this is a real show-stopper...
> 

Setup a trust between the MIT realm and the w2k domain. Then when you
kinit on the MIT side you will be able to search the w2k side as you
will bind as anonymous.

If you need write access create an account on the w2k side with the
necessary access and then add a kerberos mapping from your MIT principal
to the windows user. You will then be able to use ldapsearch to find
whatever you want and ldapmodify to change what you have access to.

	al

-- 

Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov

References:
- Problems access MS Active Directory from OpenLDAP 2.1.2
  - From: Anthony Brock <abrock@georgefox.edu>

Prev by Date: Re: groups in groups
Next by Date: Re: dynamic schema update via ldap
Index(es):
- Chronological
- Thread