RE: Building OpenLDAP 3.3.35 with Kerberos on SLES9

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, April 17, 2007 5:29 PM -0400 Andrew Scott 
<ascott@appriss.com> wrote:

> Confused is a very apt description of what I am right now.
>
> I'm wading through the nightmare that is getting Linux machines to auth
> with Kerberos to Active Directory, and using OpenLDAP to do user/group
> lookups instead of Winbind.
>
> I started down the road of getting Kerberos support compiled in because
> ldapsearch would not auth using gssapi.  Sorting through all the
> documentation, I found the -k option, and set about getting that to
> work.
>
> -k still doesn't work, because I didn't compile kbind in, but after
> doing what I did below, I ended up with an ldapsearch that WOULD auth
> via SASL/GSS.  Simply doing the default build left me with an ldapsearch
> utility that I couldn't use to search AD.

Right, -k was specific to the old Kerberos v4 kbind functionality, and 
would never have allowed you to do a SASL/GSSAPI bind to AD anyway. ;)

It sounds like the default build on SuSE just misses compiling Cyrus SASL 
against Heimdal.  As long as you compile the *same* version of Cyrus SASL 
against Heimdal, you likely don't even need to rebuild OpenLDAP, assuming a 
dynamic build -- OpenLDAP simply calls out to Cyrus SASL to find out what 
mechanisms are available (hint, see the -Y flag to ldapsearch).


--Quanah

--
Quanah Gibson-Mount
Senior Systems Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html