[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9

--On Tuesday, April 17, 2007 5:29 PM -0400 Andrew Scott <ascott@appriss.com> wrote:

Confused is a very apt description of what I am right now.

I'm wading through the nightmare that is getting Linux machines to auth
with Kerberos to Active Directory, and using OpenLDAP to do user/group
lookups instead of Winbind.

I started down the road of getting Kerberos support compiled in because
ldapsearch would not auth using gssapi.  Sorting through all the
documentation, I found the -k option, and set about getting that to

-k still doesn't work, because I didn't compile kbind in, but after
doing what I did below, I ended up with an ldapsearch that WOULD auth
via SASL/GSS.  Simply doing the default build left me with an ldapsearch
utility that I couldn't use to search AD.

Right, -k was specific to the old Kerberos v4 kbind functionality, and would never have allowed you to do a SASL/GSSAPI bind to AD anyway. ;)

It sounds like the default build on SuSE just misses compiling Cyrus SASL against Heimdal. As long as you compile the *same* version of Cyrus SASL against Heimdal, you likely don't even need to rebuild OpenLDAP, assuming a dynamic build -- OpenLDAP simply calls out to Cyrus SASL to find out what mechanisms are available (hint, see the -Y flag to ldapsearch).


Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html