[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Accessing AD from ldapsearch/modify/etc
I've been using the openldap server for a couple of years. Now I've been
tasked with creating a way to add/modify users in our Windows 2000
domain from a OSF1 machine. A little bit of research and it looked like
openldap and Cyrus SASL would do the trick as the ldap server on AD
supports GSSAPI.
Here is what I've done:
Built (and tested sucessfully) and installed Cyrus SASL with GSSAPI
enabled
Built and installed openldap 2.0.21 with SASL enabled
Added the w2k kdc information to my /etc/krb5.conf
Got a ticket from the w2k KDC
Default principal: lilstrom-test@FERMITEST.WINTEST.FNAL.GOV
Valid starting Expires Service principal
02/26/02 07:30:30 02/26/02 17:30:30
krbtgt/FERMITEST.WINTEST.FNAL.GOV@FERMITEST.WINTEST.FNAL.GOV
Flags: FIA
02/26/02 07:30:30 02/26/02 17:30:30
krbtgt/WINTEST.FNAL.GOV@FERMITEST.WINTEST.FNAL.GOV
Flags: FA
I've also put my w2k dc BASE and URI information in
/etc/openldap/ldap.conf
I did a test with a simple bind to make sure I could talk to the DC
# ./ldapsearch -x -s base -b '' '(objectclass=*)'
supportedSASLMechanisms
version: 2
#
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But if I try and do an authenticated search (tried interactive
authentication too) it fails.
# ./ldapsearch -d 255 -Y GSSAPI -X "dn:
CN=lilstrom-test,OU=Special,OU=Users,OU=CD,DC=fermitest,DC=wi
ntest,DC=fnal,DC=gov" -s base -b '' '(objectclass=*)'
supportedSASLMechanisms
ldap_create
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: w2kdc2.fnal.gov
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 131.225.81.201:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=w2kdc2.fnal.gov
SASL/GSSAPI authentication started
ldap_perror
ldap_sasl_interactive_bind_s: Local error
All attempts fail with the same error. I've tried various forms of my
dn for the -X parameter.
Any ideas on what I've overlooked or I'm doing wrong? I've been through
the archives without any success.
tia, al
--
Al Lilianstrom
CD/OSS/CSI
Al.Lilianstrom@fnal.gov