[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with OpenLDAP 2.1.4 and Kerberos

To: "Howard Chu" <hyc@symas.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Problems with OpenLDAP 2.1.4 and Kerberos
From: "Anthony Brock" <abrock@georgefox.edu>
Date: Thu, 19 Sep 2002 11:17:57 -0700
Content-class: urn:content-classes:message
Thread-index: AcJfbOHE2gdnMnZUSzyYROm22LvHOwAmqP3wAABF/9A=
Thread-topic: Problems with OpenLDAP 2.1.4 and Kerberos

Howard,

I'm attempting to connect to an Active Directory LDAP server using the
OpenLDAP software as a client. It works with basic authentication, but
my problem has been when attempting to use Kerberos.

I have this feeling that I'm missing something obvious. I just can seem
to see what's the problem. When looking through the archives, it appears
that others are at least asked for their identity when using the "-I"
flag. I'm not even being asked, just told I had an error...

I received following debug output when I specify the "-Y GSSAPI" flag:

abrock@web ~ 516 $ kinit
Password for abrock@CAMPUS.GEORGEFOX.EDU: 
abrock@web ~ 517 $ ldapsearch -H ldap://ads01.campus.georgefox.edu/ -I
-b "OU=Staff,DC=campus,DC=georgefox,DC=edu" -d 255 -Y GSSAPI -LLL
"SAMAccountName=abrock"
ldap_create
ldap_url_parse_ext(ldap://ads01.campus.georgefox.edu/)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ads01.campus.georgefox.edu:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying XXX.XXX.XXX.XXX:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_perror
ldap_sasl_interactive_bind_s: Local error (82)
abrock@web ~ 518 $ 

Tony


Anthony Brock
Director of Network Services
George Fox University

E-Mail: abrock@georgefox.edu
Phone:  (503) 554-2579
FAX:    (503) 554-3834




-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Wednesday, September 18, 2002 4:41 PM
To: Quanah Gibson-Mount; Anthony Brock; openldap-software@OpenLDAP.org
Subject: RE: Problems with OpenLDAP 2.1.4 and Kerberos


Unless your slapd is itself making requests to other kerberized
services, it
doesn't need any tickets of its own. Just the keytab.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: Problems with OpenLDAP 2.1.4 and Kerberos
  - From: "Howard Chu" <hyc@symas.com>

Prev by Date: nisDomain not a structural object class? (Or, fun with Solaris 8)
Next by Date: RE: Problems with OpenLDAP 2.1.4 and Kerberos
Index(es):
- Chronological
- Thread