[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi service principal

To: openldap-software mailing list <openldap-software@OpenLDAP.org>
Subject: Re: gssapi service principal
From: Alex Moore <asmoore@edge.net>
Date: Wed, 30 Nov 2005 14:12:50 -0600
In-reply-to: <EE560110E55FB33C0A2F4E50@cadabra-dsl.stanford.edu>
References: <20051130062541.00006a8c@sws602.mcsun.local> <EE560110E55FB33C0A2F4E50@cadabra-dsl.stanford.edu>

On Wed, 30 Nov 2005 08:20:59 -0800
Quanah Gibson-Mount <quanah@stanford.edu> wrote:

> I would imagine there is something wrong with your kerberos
> configuration then.
> 
> Mine are all correctly defined:

I am sure there is some truth in that statement somewhere:>

I have used kerberos for login, nfs on a couple of shares and even the
occasional telnet for a few years now.  So kerberos itself should be
good.

For ldap, I built a keytab file with only one entry.  Like
ldap/hostname.my.domain@MY.REALM.  Running ldapsearch without -x and
looking at truss, I see an attempt to get a ticket with ldap/hostname,
but no attempt using the fully qualified name.  I put the keytab in
ldap's sysconfdir directory, gave the slapd daemon user 0600 rights and
ownership and added a 'keytab: <pathname>' entry in the
lib/sasl2/slapd.conf file.  That was all strictly a guess.  slapd does
not run with root permissions.

That is why I asked my question.  I know something is setup or built
incorrectly.  I just do not know where to start.

I have not built the sasl server/client example to verify that sasl is
good, but that seemed to be something to do after I got this principal
issue resolved.

Thanks, Alex

References:
- gssapi service principal
  - From: Alex Moore <asmoore@edge.net>
- Re: gssapi service principal
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: refreshAndPersist & filter 2.3.11
Next by Date: Re: gssapi service principal
Index(es):
- Chronological
- Thread