[Date Prev][Date Next]
I can't seem to find this in the email archive (and I am relatively sure
I am not the first one to run into this), but here goes.
I have an openldap server configured to use an ldap backend that happens
to be an Active Directory server. I would *really* like to use sasl
when the openldap server connects to the AD server. However, that
doesn't seem to work, although I can get the ldapsearch command to use
sasl if I point it directly at the AD server (so I know that in theory,
this really should work).
From using ethereal to watch the network traffic, it appears that when
the request is passed through openldap, it looks like it's trying to get
a krb ticket (near as I can tell). When i point ldapsearch directly at
the AD server, it uses (of course) my ticket existing ticket.
I'm not horribly suprised by the fact that the openldap server is trying
to get a ticket (although I'd like to understand how to prevent it from
doing so). What I am surprised about is this: when getting the ticket,
it's passing a hostname of 'ldap' (in addition to the hostname of the
actual machine the server is running on). Where is that coming from?
Overall, what I guess I'm wondering is... what kerberos credentials are
supposed to be being used over the ldap backend connection??