Re: LDAP Client & Server with Kerberos

[Dan White <dwhite@olp.net>]

Quanah Gibson-Mount wrote:
> --On January 7, 2008 12:06:40 AM -0800 sanjay gupta 
> <sanjay_cs1983@yahoo.com> wrote:
> >  ldapsearch with debugging enabled and see what it's doing :-
> >
> > [root@localhost tools]# ./ldapsearch -Y GSSAPI  -d  1
> > ldap_create
> > ldap_sasl_interactive_bind_s: user selected: GSSAPI
> > ldap_int_sasl_bind: GSSAPI
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP 127.0.0.1:389
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying 127.0.0.1:389
> > ldap_connect_timeout: fd: 3 tm: -1 async: 0
> > ldap_int_sasl_open: host=localhost.localdomain
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> >         additional info: SASL(-4): no mechanism available: No worthy
> > mechs found
> >
> > It seems that LDAP server has not  GSSAPI available.
> >
> > So how can we add GSSAPI  support in LDAP server for making it work??
>
> SASL mechanism support is determined by what mechanisms Cyrus-sasl has 
> available to it.  Install the appropriate SASL mechansisms package on 
> your particular distribution, or if you are building it yourself, make 
> sure you've built cyrus-sasl against a Kerberos implementation.

Sanjay,

The cyrus sasl pluginviewer (called saslpluginviewer on my 
system) will list the installed plugins. You should see a client 
side plugin implementing the GSSAPI mechanism if you have sasl 
compiled for GSSAPI and installed correctly.

Also, however unlikely, you may have configured a sasl service 
file explicitly defining (restricting) which SASL mechanisms to 
use. On my system, that file is /usr/lib/sasl2/slapd.conf. You 
can specify the mechanisms to use using a statement like:

	mech_list: GSSAPI DIGEST-MD5 PLAIN

If not specified, I believe all server side mechanisms are 
offered by default.

- Dan White
BTC Broadband