kerberized OpenLDAP

Guillaume Rousse Guillaume.Rousse at inria.fr
Tue Mar 30 07:15:51 EDT 2010


Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit :
> If I leave the LDAP server listening on the TCP address of localhost (127.0.0.1) declips is cool.
> If I change the entry in /etc/openldap/ldap.conf from 
>   URI=ldap://127.0.0.1/ 
> to 
>   URI=ldap://10.1.1.1/
> I'm facing the same issue (gss_accept_sec_context) as on levante. 
> 
> 
> Is there somebody out there who can lead me to a solution. 
It seems like a name canonicalisation error for me, as you have a
multihomed setup, and result varies with the IP adress you're using.

You have to ensure the principal used in LDAP server keytab (its SPN)
matches both the ones used by client when they ask a service ticket (DNS
hostname for the IP adress used in their /etc/openldap/ldap.conf files),
and the one used by the server itself (by default, the one returned by
gethostname(), otherwise, the one specified with sasl_hostname directive
in its configuration file).

You may also check in the KDC logs what are the principal requested by
clients.
-- 
BOFH excuse #11:

magnetic interference from money/credit cards



More information about the Kerberos mailing list