[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems access MS Active Directory from OpenLDAP 2.1.2



I believe I'm trying to do the same thing you are, only I'm using OpenLDAP 2.0.21 -- and still getting the same error.  I don't have an MIT Kerberos realm, I'm trying to use the Win2k realm.  Is that what you're attempting to do?  Does OpenLDAP only work with Kerberos if both the KDC and the LDAP server exist on the same physical machine?
Thanks,
Jason

-----Original Message-----
From: Al Lilianstrom [mailto:al.lilianstrom@fnal.gov]
Sent: Wednesday, July 10, 2002 7:42 AM
To: Anthony Brock
Cc: openldap-software@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2


Anthony Brock wrote:
> 
> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
> 
> # kinit UnixAdmin
> Password for UnixAdmin@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: UnixAdmin@TEST1.GEORGEFOX.COM
> 
> Valid starting     Expires            Service principal
> 07/09/02 15:56:53  07/10/02
> 01:56:53  krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
> 
> Any ideas on solving the problem? So far, this is a real show-stopper...
> 

Setup a trust between the MIT realm and the w2k domain. Then when you
kinit on the MIT side you will be able to search the w2k side as you
will bind as anonymous.

If you need write access create an account on the w2k side with the
necessary access and then add a kerberos mapping from your MIT principal
to the windows user. You will then be able to use ldapsearch to find
whatever you want and ldapmodify to change what you have access to.

	al

-- 

Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov