Okay, I'm getting closer. I'm able to do a kinit on my root@MYDOMAIN principal. Then I run: ldapsearch -h myhost.mydomain.com -p 389 -I -b "" -s base -LLL supportedSASLMechanisms I get an error: ldap_sasl_interactive_bind_s: Unknown error additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; This is better then the last error, which was the generic local error. I take it the ticket is being granted properly (according to the kerberos logs). (minor point, the service ticket requested is not the fully-qualified domain name -- temporarily fixed by adding that to the krb database.) However slapd is obviously not trusting the principal. What principal do I use? My root principal, or the one I set up as the passwd in the slapd.conf file? Obviously I must tell slapd to accept some principal or principals. Can anyone give me a pointer here. I already have my slapd.conf looking like so: rootdn "cn=Manager,dc=...." rootpw {KERBEROS}ldapadmin@REALM So I want to use the ldapadmin principal with kinit, right? That didn't seem to work either. Michael -- Public key available from http://students.cs.byu.edu/~torriem
Attachment:
signature.asc
Description: This is a digitally signed message part