OpenLDAP + Kerberos +smbldap-tools

Michael Marziani mdmarziani at yahoo.com
Thu Jul 21 14:57:48 EDT 2005 

This is probably a question for the OpenLDAP list, but I'm pretty sure that
openldap doesn't support kerberos authentication natively, they chose to go
with SASL instead which supports the GSSAPI method which supports Kerberos 5. 
So I don't think you can use the entry you use for the 'rootpw' directive.

I set up Kerberos + OpenLDAP for our environment except I wrote my own tools to
manage users/groups.  In my environment I've disabled the rootdn and instead
enforce GSSAPI authentication using these ACL entries in slapd.conf:

# Users with /admin principals can change anything
# Read access for everyone else
access to *
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

So then if you have a valid Kerberos ticket and you have SASL with GSSAPI
method and you have SASL compiled into OpenLDAP, you should be good to go. 
Check to see what SASL authentication methods your LDAP server supports with
the following command:

ldapsearch -H ldap://localhost -x -b "" -s base -LLL supportedSASLMechanisms

If GSSAPI isn't listed, then SASL isn't installed correctly, wasn't compiled
with the GSSAPI method, and/or OpenLDAP isn't compiled with SASL support.

If everything is set up properly, I think you can use {SASL} instead of
{KERBEROS} for the rootpw entry but I'm not sure.

Hope this helps,

-Michael



I'm going to take a shot in the dark on this

--- Luciano Bolonheis <bolonheis at gmail.com> wrote:

> Hi,
> i'm beginning to use kerberos, and I have to make it work with Samba and
> LDAP.
> I'm trying to use smbldap-tools from Idealx to add my users in LDAP database.
> But when I try to add something with it, i get a answer: "err=8
> text=modifications require authentication".
> Do someone know what is it? 
> in my slapd.conf: rootdn=cn=Manager,ou=mga,ou=prpr,o=mpf 
>                           rootpw={KERBEROS}ldapadm at MGA.PRPR.MPF.GOV.BR
> 
> the ticket to ldapadm is valid
> 
> what else should be done?
> 
> thanks
> Luciano Bolonheis
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list