[Date Prev][Date Next]
Re: LDAP Client & Server with Kerberos
Quanah Gibson-Mount wrote:
--On January 7, 2008 12:06:40 AM -0800 sanjay gupta
ldapsearch with debugging enabled and see what it's doing :-
[root@localhost tools]# ./ldapsearch -Y GSSAPI -d 1
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: No worthy
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
SASL mechanism support is determined by what mechanisms Cyrus-sasl has
available to it. Install the appropriate SASL mechansisms package on
your particular distribution, or if you are building it yourself, make
sure you've built cyrus-sasl against a Kerberos implementation.
The cyrus sasl pluginviewer (called saslpluginviewer on my
system) will list the installed plugins. You should see a client
side plugin implementing the GSSAPI mechanism if you have sasl
compiled for GSSAPI and installed correctly.
Also, however unlikely, you may have configured a sasl service
file explicitly defining (restricting) which SASL mechanisms to
use. On my system, that file is /usr/lib/sasl2/slapd.conf. You
can specify the mechanisms to use using a statement like:
mech_list: GSSAPI DIGEST-MD5 PLAIN
If not specified, I believe all server side mechanisms are
offered by default.
- Dan White