[Date Prev][Date Next]
Re: Kerberos/GSSAPI issues
Brian Candler wrote:
I'm setting up an openldap server for Kerberos (GSSAPI) authentication only.
I'm using slapd-2.4.21 from Ubuntu 10.04.1.
It's basically working, and I had to do very little other than change
export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.
However, there are a couple of strange things which I wonder if someone
could help me with.
(1) According to the documentation at
then the authentication DN should be
However, running slapd in debug mode I see the cn=<realm> is missing.
That's normal. The SASL library doesn't provide the realm name when it is
equal to the default realm. This has been true of Cyrus SASL for probably the
past dozen years. Read the Cyrus SASL documentation.
(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI
explicitly. However if I omit it, the client picks DIGEST-MD5 instead
(which isn't much use, since I have no passwords in the database)
Configure a sasl/slapd.conf with the options you want.
Read the Cyrus SASL documentation.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/