SASL authentication
Xu, Qiang (FXSGSC)
Qiang.Xu at fujixerox.com
Wed Mar 18 02:18:44 EDT 2009
> -----Original Message-----
> From: kerberos-bounces at mit.edu
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
>
> First try to do a kinit with providing the password. After
> that you could try using keytab files (on your LDAP client)
> if needed in your setup.
The tutorial at http://aput.net/~jheiss/krbldap/howto.html said my SASL ldap bindingerror of "82 Local error" may be due to the lack of a service principle:
=========================================================
ldap_sasl_interactive_bind_s: Local error
ldap/hostname service principal not set up
or your Kerberos ticket is expired
=========================================================
I am a little bit confused about it. Does it mean either the ticket is absent or the ticket has expired? Is "ldap/hostname service principal" and "kerberos ticket" here the same thing?
After kinit returns successfully, I can see there is a ticket in krb cache:
=========================================================
MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: qxu at SESSWIN2003.COM
Valid starting Expires Service principal
03/17/09 17:36:50 03/18/09 03:37:35 krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
renew until 03/18/09 17:36:50
=========================================================
Isn't this ticket the service principal needed? You can see the third column's caption is "Service principal". Is it the same as or different from the "ldap/hostname service principal" mentioned in the above?
Suppose they are different, and as you told me, the keytab file (which contains the service principal of ldap/hostname) is used by LDAP client. But where should the keytab file be generated? Should the keytab file be created in Kerberos server or LDAP server? Could you teach me how to create this keytab file, as detailed as possible?
Thanks,
Xu Qiang
More information about the Kerberos
mailing list