Howard Wilkinson wrote: > I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 (+ > enhancements) build. I have built the install using the dsbuild > operation and all seems to be working. I can authenticate to the > system using the 'admin' user and the "CN=Directory Manager" identity. > I have SSL working and now want to use our Kerberos environment to > provide SSO to the server. > > Our Kerberos environment is based on an AD KDC and is supporting other > application successfully. We have created the 'ldap/...' service > principal and imported it into the system keytab. > > First test with ldapsearch using GSSAPI fails with permission denied > from the GSSAPI function. So I thought I would try the mapping > facility as documented in the administration manual and set up to map > the Kerberos identity to the correct search DN for the AD. As we only > have the one Domain/Forest I set up a simple map that takes any name > and maps to this DN. I then set up a referral inside the DS to point > to the AD controllers in the hope that this would activate the > necessary logic. No joy. > > Looking in the code for 'saslbind.c' it looks like the code only > allows for locally registered users. If I am reading this right does > this mean my next step is to remove the referral and add a replica for > the AD into my DS using the procedure outlined in the Administration > Guide section "Windows Sync". Yes. I believe you have to have an entry associated with the principal in Fedora DS. So yes, you will have to sync your user information from AD to Fedora DS. > In doing this will I have then enabled GSSAPI/Kerberos authentication > or will I still be missing something? If I do this will I be causing > problems in the future with other parts of the AD as I want to get > referrals when the data is not held in the DS? Well, it depends. What are you using Fedora DS for? Are you just using it as an authentication gateway to AD? If so, then you could probably just use something like pam_winbindd and skip Fedora DS altogether. > (Given that I will be syncing users (and groups?) only). I can use OU > trees for this and tie the referrals there of course but then I will > need to sync the entire CN=Users tree. > > I understand that I will need to create a separate DIT (root) for the > AD data to ensure that I can sync to multiple domains in the future, > is this correct? I'm not really sure. Can you explain more about your topology and how you want to use Fedora DS? > > Any advice or even a description of the set of steps that will make > this dance work would be much appreciated. > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070420/7b1812ea/attachment.bin