[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems access MS Active Directory from OpenLDAP 2.1.2



I found this link and thought it might be of some use (it certainly has proven valuable to me): http://www.ofb.net/~jheiss/krbldap/howto.html

Since I'm trying something similar I have some questions to tack on to this.  The part about not needing interactive SASL makes sense if you've done kinit, but if I didn't run kinit first what is the proper syntax for something like ldapsearch?  For example, if I do:
	kinit jcorley@EXAMPLE.COM
	<enter my password when prompted>
	ldapsearch -ZZ -LLL -H ldap://my.ldap.server/ "(objecClass=posixAccount)"
This works fine.  But shouldn't I be able to combine those steps into one ldapsearch command using interactive SASL?  I must have the syntax all wrong.

Secondly, I must have either the system authentication or something else not set up properly, because the krb5PrincipleName attribute doesn't seem to work.  If the ldap user I set up doesn't have the same UID in kerberos, it doesn't work no matter how I try to map the krb5PrincipleName.  When I attempted to map a new LDAP user to an existing Kerberos user the error I got in /var/log/messages was:
	pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378)
	pam_krb5: authentication fails for `testuser'
	pam_ldap: error trying to bind as user "uid=testuser,ou=people,c=us,dc=togethersoft,dc=net" (Inappropriate authentication)
	FAILED LOGIN 1 FROM (null) FOR testuser, Authentication failure
Thanks,
Jason

-----Original Message-----
From: Anthony Brock [mailto:abrock@georgefox.edu]
Sent: Wednesday, July 10, 2002 12:46 PM
To: Al Lilianstrom; openldap-software@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2


At 08:16 AM 7/10/2002 -0700, al.lilianstrom@fnal.gov wrote:
>so you are doing the kinit against the w2k domain from a Unix system?

Yes. The kinit is successfully (I believe) recieving the ticket from the 
W2K system. If I start from scratch, I see a success message on the W2K 
server and for the following:

# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit UnixAdmin
Password for UnixAdmin@TEST1.GEORGEFOX.COM:
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: UnixAdmin@TEST1.GEORGEFOX.COM

Valid starting     Expires            Service principal
07/10/02 09:37:30  07/10/02 
19:37:30  krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
         Flags: IA
#

>Try the ldapsearch like this
>
># ldapsearch -h exsrv.test1.georgefox.com -b
>"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn

# ldapsearch -h exsrv.test1.georgefox.com -b "dc=test1,dc=georgefox,dc=com" 
-p subtree name=unixadmin dn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: UnixAdmin@TEST1.GEORGEFOX.COM

Valid starting     Expires            Service principal
07/10/02 09:37:30  07/10/02 
19:37:30  krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
         Flags: IA
#

>With a ticket from the w2k side you should not need to do the
>interactive login.

This is makes sense. I was becoming paranoid that I might have a problem 
since my login UID is root and not UnixAdmin. I was attempting to be 
explicit and eliminate any potential conflict there...

I noticed that your command is displaying "SASL SSF: 56" before "installing 
layers". Is this of importance? Do I need to do anything unique to the W2K 
server to make this work?

Thanks!

Tony

># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: lilstrom@FERMI
>
>Valid starting     Expires            Service principal
>07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
>         Flags: FIA
>
># ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
>SASL/GSSAPI authentication started
>SASL SSF: 56
>SASL installing layers
>dn: CN=lilstrom,DC=fermi
>
># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: lilstrom@FERMI
>
>Valid starting     Expires            Service principal
>07/10/02 10:13:43  07/10/02 20:13:43  krbtgt/FERMI@FERMI
>         Flags: FIA
>07/10/02 10:13:47  07/10/02 20:13:43  ldap/fermi@FERMI
>         Flags: FA
>
>         al
>
>--
>
>Al Lilianstrom
>CD/OSS/CSI
>Al.Lilianstrom@fnal.gov

******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************