[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with OpenLDAP 2.1.4 and Kerberos





--On Wednesday, September 18, 2002 2:27 PM -0700 Anthony Brock <abrock@georgefox.edu> wrote:

I have successfully installed and tested Kerberos 5-1.2.6 and SASL
2.1.7. I am able to login, authenticate and interact using these
protocols (using a W2K Active Directory KDC). However, I am unable to
get this working with OpenLDAP. This is also after reading through and
following the steps outlined at http://www.bayour.com/LDAPv3-HOWTO.html
and at
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp.

This is the third time I have attempted this, and I have browsed through
most of the mailing list archives for the past 6 months. At this point,
I can successfully perform the following command (and receive results):

ldapsearch -H ldaps://<AD Controller>/ -x -D <AD DN> -W -b <AD Base>
-LLL "SAMAccountName=<AD Login Name>"

However, when I try:

ldapsearch -H ldaps://<AD Controller>/ -I -b <AD Base> -LLL
"SAMAccountName=<AD Login Name>"

I receive "ldap_sasl_interactive_bind_s: Local error (82)". I have
attempted this with the Solaris "truss" command, but am not certain if
this output is informative. I am including a small sample transcript of
the session and the output of a truss command.

Tony,

We are running openldap-2.1.4 with krb5-1.2.5 and cyrus-sasl 2.1.7 without problem.

I would ask the following:

1) On your ldap server, do you have ldap/<FQDN>@realm keytab in krb5.keytab?
2) For the startup script for slapd, does it look something like:

#!/sbin/sh
KRB5_KTNAME="FILE:/etc/krb5.keytab"
export KRB5_KTNAME
KRB5CCNAME="FILE:/tmp/ldap_service.tkt"
export KRB5CCNAME

case $1 in
start)
	echo "slapd service starting."
	/usr/local/lib/slapd -h "ldap:/// ldaps:///" 1>/dev/console 2>&1
	;;

etc....

Also, you then need to make sure you have some utility (I suggest k5start) obtaining the k5 ticket. We run ours out of inittab, for example:

mk:3:respawn:/usr/local/bin/k5start -f /etc/krb5.keytab -u ldap -i ldap3.stanford.edu -t -l 25h -k /tmp/ldap_service.tkt -K 30 >/dev/null

If you are doing even a semi-successful bind, you should see a ldap/* service principal ticket in your k5 ticket cache after running ldapsearch.

Hope this helps!

--Quanah




-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html