[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos/GSSAPI issues



Brian Candler wrote:
Hello,

I'm setting up an openldap server for Kerberos (GSSAPI) authentication only.
I'm using slapd-2.4.21 from Ubuntu 10.04.1.

It's basically working, and I had to do very little other than change
export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.

However, there are a couple of strange things which I wonder if someone
could help me with.

(1) According to the documentation at
http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
then the authentication DN should be
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth

However, running slapd in debug mode I see the cn=<realm>  is missing.

That's normal. The SASL library doesn't provide the realm name when it is equal to the default realm. This has been true of Cyrus SASL for probably the past dozen years. Read the Cyrus SASL documentation.

(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI
explicitly. However if I omit it, the client picks DIGEST-MD5 instead
(which isn't much use, since I have no passwords in the database)

Configure a sasl/slapd.conf with the options you want.
Read the Cyrus SASL documentation.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/