[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with OpenLDAP 2.1.4 and Kerberos

To: Anthony Brock <abrock@georgefox.edu>, openldap-software@OpenLDAP.org
Subject: Re: Problems with OpenLDAP 2.1.4 and Kerberos
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 18 Sep 2002 15:50:30 -0700
Content-disposition: inline
In-reply-to: <10E6C696E40B654AB7B5A934DB181F9A5FA9@foxmail.georgefox.edu>
References: <10E6C696E40B654AB7B5A934DB181F9A5FA9@foxmail.georgefox.edu>

--On Wednesday, September 18, 2002 2:27 PM -0700 Anthony Brock <abrock@georgefox.edu> wrote:

I have successfully installed and tested Kerberos 5-1.2.6 and SASL
2.1.7. I am able to login, authenticate and interact using these
protocols (using a W2K Active Directory KDC). However, I am unable to
get this working with OpenLDAP. This is also after reading through and
following the steps outlined at http://www.bayour.com/LDAPv3-HOWTO.html
and at
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp.

This is the third time I have attempted this, and I have browsed through
most of the mailing list archives for the past 6 months. At this point,
I can successfully perform the following command (and receive results):

ldapsearch -H ldaps://<AD Controller>/ -x -D <AD DN> -W -b <AD Base>
-LLL "SAMAccountName=<AD Login Name>"

However, when I try:

ldapsearch -H ldaps://<AD Controller>/ -I -b <AD Base> -LLL
"SAMAccountName=<AD Login Name>"

I receive "ldap_sasl_interactive_bind_s: Local error (82)". I have
attempted this with the Solaris "truss" command, but am not certain if
this output is informative. I am including a small sample transcript of
the session and the output of a truss command.


Tony,

We are running openldap-2.1.4 with krb5-1.2.5 and cyrus-sasl 2.1.7 without problem.

I would ask the following:

1) On your ldap server, do you have ldap/<FQDN>@realm keytab in krb5.keytab?
2) For the startup script for slapd, does it look something like:

#!/sbin/sh
KRB5_KTNAME="FILE:/etc/krb5.keytab"
export KRB5_KTNAME
KRB5CCNAME="FILE:/tmp/ldap_service.tkt"
export KRB5CCNAME

case $1 in
start)
	echo "slapd service starting."
	/usr/local/lib/slapd -h "ldap:/// ldaps:///" 1>/dev/console 2>&1
	;;

etc....

Also, you then need to make sure you have some utility (I suggest k5start) obtaining the k5 ticket. We run ours out of inittab, for example:

mk:3:respawn:/usr/local/bin/k5start -f /etc/krb5.keytab -u ldap -i ldap3.stanford.edu -t -l 25h -k /tmp/ldap_service.tkt -K 30 >/dev/null

If you are doing even a semi-successful bind, you should see a ldap/* service principal ticket in your k5 ticket cache after running ldapsearch.

Hope this helps!

--Quanah


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- RE: Problems with OpenLDAP 2.1.4 and Kerberos
  - From: "Howard Chu" <hyc@symas.com>

References:
- Problems with OpenLDAP 2.1.4 and Kerberos
  - From: "Anthony Brock" <abrock@georgefox.edu>

Prev by Date: Problems with OpenLDAP 2.1.4 and Kerberos
Next by Date: RE: OpenLDAP and TLS
Index(es):
- Chronological
- Thread