[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch + read-only domain controller: cannot bind

To: openldap-technical@openldap.org
Subject: Re: ldapsearch + read-only domain controller: cannot bind
From: Mark Pröhl <mark@mproehl.net>
Date: Fri, 24 Jun 2016 13:05:19 +0200
In-reply-to: <20160622102833.2c8527c0@violet.avci.de>
References: <3550941465644446@web21h.yandex.ru> <57654311.7030500@mproehl.net> <1990811466499335@web23o.yandex.ru> <20160622102833.2c8527c0@violet.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

On 06/22/2016 10:28 AM, Dieter Klünter wrote:
> Am Tue, 21 Jun 2016 11:55:35 +0300
> schrieb l@avc.su:
> 
>> Hi Mark.
>>
>> Thank you, looks like the problem is not related to OpenLDAP package.
>> I've tried to get a service ticket for
>> ldap/dc.contoso.com@CONTOSO.COM, but to no avail:
> [...]
> 
> As i mentioned in my first post, linux kerberized clients require a
> host principal and a service principal. Read the Microsoft docs on
> kerberos services for Unix.
> 

you do not need a kerberized linux client for performing a kerberized
ldapsearch command in this scenario. No host principal or any other
service principals for the linux systems are required to do this. The
ldapsearch command fails to retrieve the LDAP service ticket for the RODC.

- Mark

References:
- ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: Mark Pröhl <mark@mproehl.net>
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: mdb backup via slapcat
Next by Date: Re: Antw: Re: openldap 2.4.44 - delta-syncrepl fails on auditContext
Index(es):
- Chronological
- Thread