[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Compile openldap library with GSSAPI enabled
On Mon, Feb 18, 2013 at 3:33 PM, Dan White <dwhite@olp.net> wrote:
You have the necessary sasl components installed to support gssapi
authentication. To verify that your AD server supports gssapi:
ldapsearch -LLL -x -H ldap://ad.example.org -s "base" -b ""
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
See the FAQ entry "How do I configure OpenLDAP+SASL+GSSAPI" here (the
client side details should still apply):
http://www.cyrussasl.org/mediawiki/index.php/FAQ
On 02/19/13 11:31 +0100, Michele wrote:
Ok I've tried that and my AD server supports all mechanism you listed above.
The problem is that I'm compiling a client application and I'd like
to use GSSAPI mechanism, but when I compile OpenLDAP I'm not sure if
it is compiling also the GSSAPI stuff. Also when I try to connect my
client to my AD server it says that no mechanism are available.
Compiling in SASL support should be sufficient.
One way to trouble shoot is to use the provided ldap utilities to verify
gssapi authentication before trouble shooting your client application.
~$ kinit dan@AD.DOMAIN
dan@AD.COM's Password:
~$ ldapwhoami -Y GSSAPI -H ldap://ldap.ad.domain
SASL/GSSAPI authentication started
SASL username: dan@AD.DOMAIN
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown
extended request OID, data 0, vece
Result: Protocol error (2)
Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown
extended request OID, data 0, vece
Regardless of the error above (Active Directory 2003 apparently does not
support the whoami extended operation), this is a successful
authentication (you would see a bind error otherwise).
~$ klist
Credentials cache: FILE:/tmp/krb5cc_1005
Principal: dan@AD.DOMAIN
Issued Expires Principal
Feb 19 08:30:38 Feb 19 18:30:38 krbtgt/AD.DOMAIN@AD.DOMAIN
Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@
Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@AD.DOMAIN
--
Dan White