[Date Prev][Date Next]
Re: openldap 2.4.6 and GSSAPI/kerberos
David E. Cross wrote:
Ok... after a bit of a struggle, I have gotten OpenLDAP 2.4.6 going with
MIT kerberos 1.6.3 with some small caveats...
1: (and you know this already), the documentation for the slapd.d
format is.. uhm.. bad. For example the "slapd.ldif" in the source isn't
even valid, the "module" section (commented out, but there) is missing the
Specific defects should be submitted to the ITS (and you should know this
2: The documentation throughout for specifying entries like the RootDN
tells you (via example) to double quote it.. this generates errors.
Usually one would expect "3:" to come after "2:" ...
There is something awry with the kerberos 5/gssapi setup for using a
krb5 credential as a RootDN; according to your documentation it should be
of the form:
This isn't working for me. After enabling Auth logging I found that it
authenticated me as:
(note the lack of realm...) "why?" have I botched something (which I may
have), or is there an error with the documentation?
You haven't read the documentation. Section 13.2.4:
Note also that the realm part will be omitted if the default realm was used
in the authentication.
The SASL library always omits the realm if it matches the default realm. This
is also documented in the FAQ and the Cyrus SASL docs.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/