[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch using GSSAPI failed to run from other machine ...



Hello Dan,

Sorry for my ignorance on openldap GSSAPI mechanism, and just now, I
tried and I think I found why.

On another machine, I need to config the realms in /etc/krb5.conf, so
the machine knows where the kdc is.
After that, I ran "kinit user", and then ldapsearch worked fine.

Thank you a lot for your reply.



On Thu, Feb 11, 2010 at 12:38 PM, Dan White <dwhite@olp.net> wrote:
> On 10/02/10 23:41 -0600, huican ping wrote:
>>
>> This is a dummy question. I just newly contacted with sasl+krb5 with
>> ldap. Can anyone else kindly people tell me how to make ldapsearch
>> working from other machine? E.g, what kind of setup/procedure I should
>> do on the other machine before I can do ldapsearch with gssapi
>> effectively?
>
> http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
>
>> Output when run on the different machine
>> =============================
>> /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001
>> -Y gssapi -U admin  -b "sn=admin,ou=People,o=Acme" '(objectclass=*)'
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>       additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information
>> (Unknown code krb5 7)
>
> I don't know what "Unknown code krb5 7" means, but I would make sure:
>
> You have a local credentials cache (klist)
> You have received a ticket for the LDAP service pricipal
> You are referencing the server using the same name as its service principal
> You have forward and reverse DNS setup for both the server and client
>
> I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend
> referencing the server by DNS name, unless the server really is using a
> service principal with that IP address.
>
> --
> Dan White
>