[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)



Thanks.  So far so good.  SASL is now working correctly.  I did a chmod
a+r /etc/krb5.keytab and it works.  However this is not a good
solution.  I guess one solution is to make a special group that I can
put ldap in to access that file.  It's odd that there's no option to
specify the keytab file... ;)

Now I need to figure out how the access controls work.

Michael

On Thu, 2002-04-18 at 07:23, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Torrie
> 
> > Okay, I'm getting closer.  I'm able to do a kinit on my root@MYDOMAIN
> > principal.  Then I run:
> >
> > ldapsearch -h myhost.mydomain.com -p 389 -I -b "" -s base -LLL
> > supportedSASLMechanisms
> >
> > I get an error:
> >
> > ldap_sasl_interactive_bind_s: Unknown error
> > 	additional info: GSSAPI: gss_acquire_cred: Miscellaneous failure;
> > Permission denied;
> >
> > This is better then the last error, which was the generic local error.
> 
> I suspect this is due to a missing keytab. As I recall, the LDAP service
> expects to use "ldap/my.fqdn@realm" as the service name and an entry for
> this principal must exist in the default keytab, and the keytab of course
> must be readable by the user that slapd runs under. Since SASL has no way
> of configuring a specific keytab to use, you must use the system's default,
> which is typically /etc/krb5.keytab.
> 
> > I take it the ticket is being granted properly (according to the
> > kerberos logs).  (minor point, the service ticket requested is not the
> > fully-qualified domain name -- temporarily fixed by adding that to the
> > krb database.)  However slapd is obviously not trusting the principal.
> > What principal do I use?  My root principal, or the one I set up as the
> > passwd in the slapd.conf file? Obviously I must tell slapd to accept
> > some principal or principals.  Can anyone give me a pointer here. I
> > already have my slapd.conf looking like so:
> >
> > rootdn          "cn=Manager,dc=...."
> > rootpw {KERBEROS}ldapadmin@REALM
> >
> > So I want to use the ldapadmin principal with kinit, right?  That didn't
> > seem to work either.
> 
> The rootpw config has nothing to do with SASL. In the 2.0.x release the only
> valid DNs for a SASL bind are of the form "uid=<username> + realm=<realm>"
> If you want "ldapadmin@REALM" to be treated as your server root then you
> need to
> configure
> 	rootdn	"uid=ldapadmin + realm=REALM"
> On a SASL bind your rootpw is irrelevant, since SASL will perform the
> authentication using your kerberos ticket.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
-- 
Public key available from http://students.cs.byu.edu/~torriem


Attachment: signature.asc
Description: This is a digitally signed message part