[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Problems access MS Active Directory from OpenLDAP 2.1.2
I found this link and thought it might be of some use (it certainly has proven valuable to me): http://www.ofb.net/~jheiss/krbldap/howto.html
Since I'm trying something similar I have some questions to tack on to this. The part about not needing interactive SASL makes sense if you've done kinit, but if I didn't run kinit first what is the proper syntax for something like ldapsearch? For example, if I do:
kinit jcorley@EXAMPLE.COM
<enter my password when prompted>
ldapsearch -ZZ -LLL -H ldap://my.ldap.server/ "(objecClass=posixAccount)"
This works fine. But shouldn't I be able to combine those steps into one ldapsearch command using interactive SASL? I must have the syntax all wrong.
Secondly, I must have either the system authentication or something else not set up properly, because the krb5PrincipleName attribute doesn't seem to work. If the ldap user I set up doesn't have the same UID in kerberos, it doesn't work no matter how I try to map the krb5PrincipleName. When I attempted to map a new LDAP user to an existing Kerberos user the error I got in /var/log/messages was:
pam_krb5: authenticate error: Client not found in Kerberos database (-1765328378)
pam_krb5: authentication fails for `testuser'
pam_ldap: error trying to bind as user "uid=testuser,ou=people,c=us,dc=togethersoft,dc=net" (Inappropriate authentication)
FAILED LOGIN 1 FROM (null) FOR testuser, Authentication failure
Thanks,
Jason
-----Original Message-----
From: Anthony Brock [mailto:abrock@georgefox.edu]
Sent: Wednesday, July 10, 2002 12:46 PM
To: Al Lilianstrom; openldap-software@OpenLDAP.org
Subject: Re: Problems access MS Active Directory from OpenLDAP 2.1.2
At 08:16 AM 7/10/2002 -0700, al.lilianstrom@fnal.gov wrote:
>so you are doing the kinit against the w2k domain from a Unix system?
Yes. The kinit is successfully (I believe) recieving the ticket from the
W2K system. If I start from scratch, I see a success message on the W2K
server and for the following:
# kdestroy
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit UnixAdmin
Password for UnixAdmin@TEST1.GEORGEFOX.COM:
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: UnixAdmin@TEST1.GEORGEFOX.COM
Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
Flags: IA
#
>Try the ldapsearch like this
>
># ldapsearch -h exsrv.test1.georgefox.com -b
>"dc=test1,dc=georgefox,dc=com" -p subtree name=unixadmin dn
# ldapsearch -h exsrv.test1.georgefox.com -b "dc=test1,dc=georgefox,dc=com"
-p subtree name=unixadmin dn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: UnixAdmin@TEST1.GEORGEFOX.COM
Valid starting Expires Service principal
07/10/02 09:37:30 07/10/02
19:37:30 krbtgt/TEST1.GEORGEFOX.COM@TEST1.GEORGEFOX.COM
Flags: IA
#
>With a ticket from the w2k side you should not need to do the
>interactive login.
This is makes sense. I was becoming paranoid that I might have a problem
since my login UID is root and not UnixAdmin. I was attempting to be
explicit and eliminate any potential conflict there...
I noticed that your command is displaying "SASL SSF: 56" before "installing
layers". Is this of importance? Do I need to do anything unique to the W2K
server to make this work?
Thanks!
Tony
># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: lilstrom@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/FERMI@FERMI
> Flags: FIA
>
># ldapsearch -h dc -LLL -b "dc=fermi" name=lilstrom dn
>SASL/GSSAPI authentication started
>SASL SSF: 56
>SASL installing layers
>dn: CN=lilstrom,DC=fermi
>
># klist -f
>Ticket cache: /tmp/krb5cc_p31967
>Default principal: lilstrom@FERMI
>
>Valid starting Expires Service principal
>07/10/02 10:13:43 07/10/02 20:13:43 krbtgt/FERMI@FERMI
> Flags: FIA
>07/10/02 10:13:47 07/10/02 20:13:43 ldap/fermi@FERMI
> Flags: FA
>
> al
>
>--
>
>Al Lilianstrom
>CD/OSS/CSI
>Al.Lilianstrom@fnal.gov
******************************************************************************
* Anthony Brock abrock@georgefox.edu *
* Director of Network Services George Fox University *
******************************************************************************