Re: Forcing the use of kerberos by ldap clients when connecting to an openldap server
- From: drjlove@xxxxxxxxx
- Date: Mon, 24 Sep 2007 14:55:06 -0700
Actually I'm a putz,
What I was trying to do would never have worked! authentication
against LDAP using GSSAPI requires the user to have already signed
into a kerberos realm and have a token. In my setup, that token was
not available (the user never signs in), hence it'd never work.
Giving user's passwords in ldap itself works until I organise the
kerberos login stuff.
On Sep 25, 1:24 am, drjl...@xxxxxxxxx wrote:
I have an openldap server that successfully authenticates against a
[jamie@janeiro ~]$ ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ja...@xxxxxxxxxxx
SASL SSF: 56
SASL installing layers
Result: Success (0)
When I do not put -Y GSSAPI in, I get:
[jamie@janeiro ~]$ ldapwhoami
ldap_sasl_interactive_bind_s: No such object (32)
Is it possible to force the client or server to use GSSAPI for
authentication, so I don't need to write it every time. In my
slapd.conf file I have:
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=
In particular this sasl-secprops is (according to the website I
pilfered that line off) in theory will force the use of GSSAPI, but in
practice it doesn't.
The reason I wish to force GSSAPI is to make a java app I need to
interoperate with use the right mechanism (i.e. GSSAPI), and hence
authenticate against kerberos via LDAP rather than authenticate
against ldap only.
Thanks for any help.
- Prev by Date: Re: Problems with kadmind, kpasswd and cross-realm authentication
- Next by Date: RE: Problems with kadmind, kpasswd and cross-realm authentication
- Previous by thread: Forcing the use of kerberos by ldap clients when connecting to an openldap server