[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with OpenLDAP 2.1.4 and Kerberos

Unless your slapd is itself making requests to other kerberized services, it
doesn't need any tickets of its own. Just the keytab.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

> Tony,
>
> We are running openldap-2.1.4 with krb5-1.2.5 and cyrus-sasl 2.1.7 without
> problem.
>
> I would ask the following:
>
> 1) On your ldap server, do you have ldap/<FQDN>@realm keytab in
> krb5.keytab?
> 2) For the startup script for slapd, does it look something like:
>
> #!/sbin/sh
> KRB5_KTNAME="FILE:/etc/krb5.keytab"
> export KRB5_KTNAME
> KRB5CCNAME="FILE:/tmp/ldap_service.tkt"
> export KRB5CCNAME
>
> case $1 in
> start)
> 	echo "slapd service starting."
> 	/usr/local/lib/slapd -h "ldap:/// ldaps:///" 1>/dev/console 2>&1
>  	;;
>
> etc....
>
> Also, you then need to make sure you have some utility (I suggest k5start)
> obtaining the k5 ticket.  We run ours out of inittab, for example:
>
> mk:3:respawn:/usr/local/bin/k5start -f /etc/krb5.keytab -u ldap -i
> ldap3.stanford.edu -t -l 25h -k /tmp/ldap_service.tkt -K 30 >/dev/null
>
> If you are doing even a semi-successful bind, you should see a ldap/*
> service principal ticket in your k5 ticket cache after running ldapsearch.
>
> Hope this helps!
>
> --Quanah
>
>
>
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>
>