[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with OpenLDAP 2.1.4 and Kerberos
On Wed, 18 Sep 2002, Anthony Brock wrote:
> I have successfully installed and tested Kerberos 5-1.2.6 and SASL
> 2.1.7. I am able to login, authenticate and interact using these
> protocols (using a W2K Active Directory KDC). However, I am unable to
> get this working with OpenLDAP. This is also after reading through and
> following the steps outlined at http://www.bayour.com/LDAPv3-HOWTO.html
> and at
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
> s.asp.
>
> This is the third time I have attempted this, and I have browsed through
> most of the mailing list archives for the past 6 months. At this point,
> I can successfully perform the following command (and receive results):
>
> ldapsearch -H ldaps://<AD Controller>/ -x -D <AD DN> -W -b <AD Base>
> -LLL "SAMAccountName=<AD Login Name>"
>
> However, when I try:
>
> ldapsearch -H ldaps://<AD Controller>/ -I -b <AD Base> -LLL
> "SAMAccountName=<AD Login Name>"
>
> I receive "ldap_sasl_interactive_bind_s: Local error (82)". I have
> attempted this with the Solaris "truss" command, but am not certain if
> this output is informative. I am including a small sample transcript of
> the session and the output of a truss command.
Are you trying to use cross-realm trusts? Did you run kinit to get the
user's TGT first? I've got this working on a testbed runnin at home.
btw...going the other way has proven impossible so far....
Using a cross-realm trust to access OpenLDAP in a MIT Krb5 realm
from a Win2k client in the trusted AD realm.
cheers, jerry
---------------------------------------------------------------------
Hewlett-Packard http://www.hp.com
SAMBA Team http://www.samba.org
-- http://www.plainjoe.org
"Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2
--"I never saved anything for the swim back." Ethan Hawk in Gattaca--