Forcing the use of kerberos by ldap clients when connecting to an openldap server
drjlove@gmail.com
drjlove at gmail.com
Mon Sep 24 11:24:41 EDT 2007
Hello all,
I have an openldap server that successfully authenticates against a
kerberos setup:
[jamie at janeiro ~]$ ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: jamie at example.com
SASL SSF: 56
SASL installing layers
dn:uid=jamie,ou=people,dc=example,dc=com
Result: Success (0)
When I do not put -Y GSSAPI in, I get:
[jamie at janeiro ~]$ ldapwhoami
ldap_sasl_interactive_bind_s: No such object (32)
Is it possible to force the client or server to use GSSAPI for
authentication, so I don't need to write it every time. In my
slapd.conf file I have:
TLSCertificateFile /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
...
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=
$1,ou=people,dc=example,dc=com
In particular this sasl-secprops is (according to the website I
pilfered that line off) in theory will force the use of GSSAPI, but in
practice it doesn't.
The reason I wish to force GSSAPI is to make a java app I need to
interoperate with use the right mechanism (i.e. GSSAPI), and hence
authenticate against kerberos via LDAP rather than authenticate
against ldap only.
Thanks for any help.
Jamie
More information about the Kerberos
mailing list