[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberized LDAP not accessible

Am 22.01.2011 17:04, schrieb Brian Candler:
> On Fri, Jan 21, 2011 at 04:52:09PM +0100, Thomas Schweikle wrote:
>> > I found the same (that DIGEST-MD5 was being preferred over GSSAPI). You can
>> > fix it by disabling DIGEST-MD5.
>> > 
>> > Under Ubuntu, I did this by
>> > 
>> >     # vi /etc/ldap/sasl2/slapd.conf
>> >     mech_list: gssapi external
>> > 
>> > The location of this config file may differ under other distros.
>> I do have the directory, but not the file ... do I have to create it
>> myself or is it part of a package I did not install?
> You have to create it.

OK. Created the file. It holds:
mech_list: gssapi external
keytab: /etc/ldap/krb5.ldap
sasldb_path: /etc/ldap/sasl2/passwd.db

Had a look at the rights for /etc/ldap/krb5.ldap:
-rw------- 1 openldap openldap 278 2011-01-21 10:54 /etc/ldap/krb5.ldap

slapd is running as:
openldap  4744  0.0  0.9 115800  5008 ?        Ssl  00:02   0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap

Seems OK. Next I tried:
$ ldapsearch -Y GSSAPI -LLL -H ldap://srv.example.com -s "base" -b
"" supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL username: tschweikle@XOMPU.DE
SASL data security layer installed.
supportedSASLMechanisms: GSSAPI


Next try:
$ldapsearch -Y GSSAPI -H ldap://srv.example.com -LLL -b
"dc=example,dc=com" "(objectclass=*)"

returns the whole database! Fine! Looks like I've solved the issues
with your help! Thanks a lot!


Attachment: signature.asc
Description: OpenPGP digital signature