[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-ldap question


I can't seem to find this in the email archive (and I am relatively sure I am not the first one to run into this), but here goes.

I have an openldap server configured to use an ldap backend that happens to be an Active Directory server. I would *really* like to use sasl when the openldap server connects to the AD server. However, that doesn't seem to work, although I can get the ldapsearch command to use sasl if I point it directly at the AD server (so I know that in theory, this really should work).

From using ethereal to watch the network traffic, it appears that when the request is passed through openldap, it looks like it's trying to get a krb ticket (near as I can tell). When i point ldapsearch directly at the AD server, it uses (of course) my ticket existing ticket.

I'm not horribly suprised by the fact that the openldap server is trying to get a ticket (although I'd like to understand how to prevent it from doing so). What I am surprised about is this: when getting the ticket, it's passing a hostname of 'ldap' (in addition to the hostname of the actual machine the server is running on). Where is that coming from?

Overall, what I guess I'm wondering is... what kerberos credentials are supposed to be being used over the ldap backend connection??