Forcing the use of kerberos by ldap clients when connecting to an openldap server

drjlove@gmail.com drjlove at gmail.com
Mon Sep 24 17:55:06 EDT 2007


Actually I'm a putz,

What I was trying to do would never have worked! authentication
against LDAP using GSSAPI requires the user to have already signed
into a kerberos realm and have a token. In my setup, that token was
not available (the user never signs in), hence it'd never work.

Giving user's passwords in ldap itself works until I organise the
kerberos login stuff.

Jamie

On Sep 25, 1:24 am, drjl... at gmail.com wrote:
> Hello all,
>
> I have an openldap server that successfully authenticates against a
> kerberos setup:
>
> [jamie at janeiro ~]$ ldapwhoami -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: ja... at example.com
> SASL SSF: 56
> SASL installing layers
> dn:uid=jamie,ou=people,dc=example,dc=com
> Result: Success (0)
>
> When I do not put -Y GSSAPI in, I get:
>
> [jamie at janeiro ~]$ ldapwhoami
> ldap_sasl_interactive_bind_s: No such object (32)
>
> Is it possible to force the client or server to use GSSAPI for
> authentication, so I don't need to write it every time. In my
> slapd.conf file I have:
>
> TLSCertificateFile /etc/openldap/cacerts/newcert.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
> ...
> sasl-secprops noanonymous,noplain,noactive
> saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=
> $1,ou=people,dc=example,dc=com
>
> In particular this sasl-secprops is (according to the website I
> pilfered that line off) in theory will force the use of GSSAPI, but in
> practice it doesn't.
>
> The reason I wish to force GSSAPI is to make a java app I need to
> interoperate with use the right mechanism (i.e. GSSAPI), and hence
> authenticate against kerberos via LDAP rather than authenticate
> against ldap only.
>
> Thanks for any help.
> Jamie





More information about the Kerberos mailing list