[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting SASL working





--On Thursday, December 30, 2004 1:08 PM -0600 Jonathan Reeder <jreeder@nscnet.com> wrote:


I've got a working OpenLDAP 2.2 running, and I can use simple binds to both modify and query the directory. However, I'm getting an error when I try to bind with SASL. The error is:

# ldapsearch -b "dc=mydomain,dc=com" "(objectclass=*)"
ldap_sasl_interactive_bind_s: No such object

I have an ldap-readable keytab with a single principle -
ldap/fqdn@MYREALM.COM and I've defined KRB5_KTNAME in my environment.  I
also have my rootdn set up to be "uid=ldapadmin,cn=gssapi,cn=auth".  I
can kinint ldapadmin, receive the ticket, but then I get that "No such
object" error when I try to run an ldapsearch.

Any pointers? Thanks a bunch.

You are missing the Kerberos domain component. The identity coming in will be:


uid=ldapadmin,cn=<Kerberos domain>, cn=gssapi, cn=auth

For example, my SASL DN comes in as:

uid=quanah,cn=stanford.edu,cn=gssapi,cn=auth

--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin