[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch and kerberos keytab

To: l@avc.su
Subject: Re: ldapsearch and kerberos keytab
From: Dan White <dwhite@cafedemocracy.org>
Date: Thu, 3 Sep 2015 16:33:08 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <5209ee60eefef74bccd0ffc9af728534@avc.su>
References: <5209ee60eefef74bccd0ffc9af728534@avc.su>
User-agent: Mutt/1.5.23 (2014-03-12)

On 09/02/15 16:22 +0300, l@avc.su wrote:

Hi all.

I've got CentOS 6.5 server enrolled in an AD domain.


Does that mean you're using Samba, or something else?

There's a script which should connect to AD and get some info with
ldapsearch.

We were using simple bind with username and password, but I wonder if
there is any way to do queries and being authenticated by GSSAPI without
the need of password entering?


Yes, it should work fine.

Maybe, I somehow can use system krb5.keytab and do queries from the name
of the server (host/pc@DOMAIN credentials)?


You'll need to export a keytab file from Active Directory. See:

https://cwiki.apache.org/confluence/display/DIRxINTEROP/Exporting+Keytabs+from+Active+Directory

Or I should create separate keytab and specify it in ldapsearch? But I
haven't found this option. Moreover, I know that kerberos tickets could
expire and I should re-enter pass to obtain new one.


ldapsearch will not initialize your credentials cache. You're responsible
for kinit to initialize it, such as from your crontab.

Using a keytab would obviate the need for sticking a password in your
crontab of course. The underlying kerberos libraries will request necessary
service tickets as needed.

--
Dan White

References:
- ldapsearch and kerberos keytab
  - From: l@avc.su

Prev by Date: Re: Change userPassword
Next by Date: Openldap replication memory leak
Index(es):
- Chronological
- Thread