SASL authentication

Markus Moeller huaraz at moeller.plus.com
Mon Mar 23 19:25:44 EDT 2009


Can you get a network capture with wireshark on your 2003 server of all 
traffic from your client when you do the following

On the client:
kinit qxu at SESSWIN2003.COM
ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b 
'dc=sesswin2003,dc=com' -s sub -LLL '(cn=qxu)' mail

Make sure that sesswin2003.sesswin2003.com resolves to the correct ip or is 
in your hosts file.

Markus

"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:mailman.142.1237787839.14058.kerberos at mit.edu...
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov]
>> Sent: Saturday, March 21, 2009 3:05 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Ströder; kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> You need to use the FQDN of the server, not the IP number.
>> GSSAPI/Kerberos use the FQDN to derive the principal name.
>
> As you suggested, I use the following expressions:
> ==========================================
> qxu at durian(pts/3):/etc[19]$ ldapsearch -Y GSSAPI -H 
> 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s 
> sub -LLL 'cn=qxu' mail
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> ==========================================
> The domain name is "sesswin2003.com", the host name is "sesswin2003". Thus 
> the FQDN in the expression is "sesswin2003.sesswin2003.com". But the 
> result seems worse.
>
> Did I miss anything?
>
> Thank you, Doug!
> Xu Qiang
> 




More information about the Kerberos mailing list