[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with OpenLDAP 2.1.4 and Kerberos

On Wed, 18 Sep 2002, Anthony Brock wrote:

> I have successfully installed and tested Kerberos 5-1.2.6 and SASL
> 2.1.7. I am able to login, authenticate and interact using these
> protocols (using a W2K Active Directory KDC). However, I am unable to
> get this working with OpenLDAP. This is also after reading through and
> following the steps outlined at http://www.bayour.com/LDAPv3-HOWTO.html
> and at
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
> s.asp.
> This is the third time I have attempted this, and I have browsed through
> most of the mailing list archives for the past 6 months. At this point,
> I can successfully perform the following command (and receive results):
> ldapsearch -H ldaps://<AD Controller>/ -x -D <AD DN> -W -b <AD Base>
> -LLL "SAMAccountName=<AD Login Name>"
> However, when I try:
> ldapsearch -H ldaps://<AD Controller>/ -I -b <AD Base> -LLL
> "SAMAccountName=<AD Login Name>"
> I receive "ldap_sasl_interactive_bind_s: Local error (82)". I have
> attempted this with the Solaris "truss" command, but am not certain if
> this output is informative. I am including a small sample transcript of
> the session and the output of a truss command.

Are you trying to use cross-realm trusts?  Did you run kinit to get the 
user's TGT first?  I've got this working on a testbed runnin at home.

btw...going the other way has proven impossible so far....
Using a cross-realm trust to access OpenLDAP in a MIT Krb5 realm 
from a Win2k client in the trusted AD realm.

cheers, jerry
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN 0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--