[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymously binding despite '-U ....' to ldapsearch

To: openldap-software@OpenLDAP.org
Subject: Re: Anonymously binding despite '-U ....' to ldapsearch
From: Turbo Fredriksson <turbo@bayour.com>
Date: 26 Feb 2003 18:48:53 +0100
In-reply-to: <5.2.0.9.0.20030226092820.01a25028@127.0.0.1>
Organization: LDAP/Kerberos expert wannabe
References: <5.2.0.9.0.20030226092820.01a25028@127.0.0.1>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:

> I suggest you use ldapwhoami(1) to determine what your
> authorization identity actually is.  Note that some of
> of the identity mapping stuff was changed.  Namely,
> multi-valued RDNs are no longer used.

Much easier :)

This brings me to another issue. Using ldapwhoami as 'turbo'
with a ticket for 'turbo@BAYOUR.COM' shows the expected
DN. But doing it as root with the 'same' ticket (ie with
principal 'turbo@BAYOUR.COM') gives:

----- s n i p -----
majorskan:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: turbo@BAYOUR.COM

Valid starting     Expires            Service principal
02/26/03 15:44:37  02/27/03 01:44:35  krbtgt/BAYOUR.COM@BAYOUR.COM
02/26/03 15:48:48  02/27/03 01:44:35  ldap/majorskan.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
majorskan:~# ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
----- s n i p -----

References:
- Re: Anonymously binding despite '-U ....' to ldapsearch
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Anonymously binding despite '-U ....' to ldapsearch
Next by Date: Re: BDB log.xxx Files
Index(es):
- Chronological
- Thread