[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems access MS Active Directory from OpenLDAP 2.1.2




Anthony Brock wrote:
> 
> Al,
> 
> At this time, I am not attempting to use an MIT realm. Would it be advised
> to implement the MIT realm, and pursue this option? Or is there a way to
> directly authenticate against the W2K? Or, are both possible/workable?
> 
> If both are workable, what are the relative advantages/disadvantages of
> each? I originally thought this was a straight forward project. Suddenly,
> it's starting to edge towards new territory (multiple realms and trust
> relationships). I would greatly appreciate any advise!
> 

Ok. Earlier you wrote

> I am attempting to bind against a Windows 2K server using OpenLDAP 2.1.2.
> However, I am encountering the following problem:
> 
> # kinit UnixAdmin
> Password for UnixAdmin@TEST1.GEORGEFOX.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: UnixAdmin@TEST1.GEORGEFOX.COM
> 
> Valid starting     Expires            Service principal
> 07/09/02 15:56:53  07/10/02
> 01:56:53  krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
> # ldapsearch -I -H ldap://exsrv.test1.georgefox.com/ -b
> "dc=test1,dc=georgefox,dc=com" objectclass=user
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: UnixAdmin
> ldap_sasl_interactive_bind_s: Local error (82)
> #
> 
> Any ideas on solving the problem? So far, this is a real show-stopper...

so you are doing the kinit against the w2k domain from a Unix system?

Try the ldapsearch like this

# ldapsearch -h exsrv.test1.georgefox.com -b
"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

With a ticket from the w2k side you should not need to do the
interactive login.

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: lilstrom@FERMI

Valid starting     Expires            Service principal
07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
        Flags: FIA

# ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
dn: CN=lilstrom,DC=fermi

# klist -f
Ticket cache: /tmp/krb5cc_p31967
Default principal: lilstrom@FERMI

Valid starting     Expires            Service principal
07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
        Flags: FIA
07/10/02 10:13:47  07/10/02 20:13:43  ldap/fermi@FERMI
        Flags: FA

	al

-- 

Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov