[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to configure OpenLdap Client to work with Windows Active Directory

On 30/06/11 09:47 -0700, yen nguyen wrote:

Yes. My client system is connected to the domain. I was able to obtain a valid ticket from the AD system. The kinit command ran ok.
kinit user1@TEST.COM

I even ran gssclient and it ran ok with no error.
gssclient -port 389 MPSD-EB01T3 LDAP/MPSD-EB01T3.TEST.COM hello

The DN of my AD  should be TEST.COM

So what else do I need to do on the client system to use OpenLDAP client tools with -Y GSSAPI option ? Is there a ldap.conf configuration for windows openldap client tools?

You need to have a Cyrus SASL GSSAPI mechanism installed on your client
system, which OpenLDAP uses to perform the necessary GSSAPI authentication
with the server.

If you have 'pluginviewer' available on your system, it will tell you which
sasl mechanisms you have available. For Cyrus documentation on windows
builds, see:


Date: Thu, 30 Jun 2011 16:17:44 +0100
From: andrew.findlay@skills-1st.co.uk
To: nhan_yen@hotmail.com
CC: openldap-technical@openldap.org
Subject: Re: How to configure OpenLdap Client to work with Windows Active Directory

On Wed, Jun 29, 2011 at 05:41:26PM -0700, yen nguyen wrote:

> Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/
> software I need to do on the client side?

GSSAPI is normally a carrier for Kerberos tickets, so for this
to work you will need to obtain a valid ticket for the AD
service. This will involve connecting your client system to the
Kerberos domain managed by the AD system.

> On my Client system, I have Windows openldap client tools (ldapsearch ....etc).
> My Server system has Windows AD running.
> I was able to use Simple Authentication and it worked.
> ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com"  -x

Without the -D and -w (or -W) options, this is just anonymous
(un-authenticated) access.

You can certainly use the OpenLDAP client tools with AD using
simple authentication. The main problem is to find out what the DN of
your AD account actually is.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |

Dan White