[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymously binding despite '-U ....' to ldapsearch



Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:

> I suggest you use ldapwhoami(1) to determine what your
> authorization identity actually is.  Note that some of
> of the identity mapping stuff was changed.  Namely,
> multi-valued RDNs are no longer used.

Much easier :)

This brings me to another issue. Using ldapwhoami as 'turbo'
with a ticket for 'turbo@BAYOUR.COM' shows the expected
DN. But doing it as root with the 'same' ticket (ie with
principal 'turbo@BAYOUR.COM') gives:

----- s n i p -----
majorskan:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: turbo@BAYOUR.COM

Valid starting     Expires            Service principal
02/26/03 15:44:37  02/27/03 01:44:35  krbtgt/BAYOUR.COM@BAYOUR.COM
02/26/03 15:48:48  02/27/03 01:44:35  ldap/majorskan.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
majorskan:~# ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
----- s n i p -----