Richard Megginson wrote: > Howard Wilkinson wrote: >> I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 >> (+ enhancements) build. I have built the install using the dsbuild >> operation and all seems to be working. I can authenticate to the >> system using the 'admin' user and the "CN=Directory Manager" >> identity. I have SSL working and now want to use our Kerberos >> environment to provide SSO to the server. >> >> Our Kerberos environment is based on an AD KDC and is supporting >> other application successfully. We have created the 'ldap/...' >> service principal and imported it into the system keytab. >> >> First test with ldapsearch using GSSAPI fails with permission denied >> from the GSSAPI function. So I thought I would try the mapping >> facility as documented in the administration manual and set up to map >> the Kerberos identity to the correct search DN for the AD. As we only >> have the one Domain/Forest I set up a simple map that takes any name >> and maps to this DN. I then set up a referral inside the DS to point >> to the AD controllers in the hope that this would activate the >> necessary logic. No joy. >> >> Looking in the code for 'saslbind.c' it looks like the code only >> allows for locally registered users. If I am reading this right does >> this mean my next step is to remove the referral and add a replica >> for the AD into my DS using the procedure outlined in the >> Administration Guide section "Windows Sync". > Yes. I believe you have to have an entry associated with the > principal in Fedora DS. So yes, you will have to sync your user > information from AD to Fedora DS. >> In doing this will I have then enabled GSSAPI/Kerberos authentication >> or will I still be missing something? If I do this will I be causing >> problems in the future with other parts of the AD as I want to get >> referrals when the data is not held in the DS? > Well, it depends. What are you using Fedora DS for? Are you just > using it as an authentication gateway to AD? If so, then you could > probably just use something like pam_winbindd and skip Fedora DS > altogether. >> (Given that I will be syncing users (and groups?) only). I can use OU >> trees for this and tie the referrals there of course but then I will >> need to sync the entire CN=Users tree. >> >> I understand that I will need to create a separate DIT (root) for the >> AD data to ensure that I can sync to multiple domains in the future, >> is this correct? > I'm not really sure. Can you explain more about your topology and how > you want to use Fedora DS? >> >> Any advice or even a description of the set of steps that will make >> this dance work would be much appreciated. >> -- >> >> Howard Wilkinson >> >> >> >> Phone: >> >> >> >> +44(20)76907075 >> >> Coherent Technology Limited >> >> >> >> Fax: >> >> >> >> >> >> 23 Northampton Square, >> >> >> >> Mobile: >> >> >> >> +44(7980)639379 >> >> United Kingdom, EC1V 0HL >> >> >> >> Email: >> >> >> >> howard at cohtech.com >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Richard, I am implementing the Fedora DS to provide data from other domains than my AD. So I have other roots in the Directory Store already. I also will be storing additional information for users in the DS to support RADIUS and other applications. However our primary authentication store is on Windows 2003 using the KDC. I have users who have Kerberos tickets granted and can do GSSAPI exchanges with the AD to retrieve LDAP results. The DS has a map which I believe should take a Kerberos/GSSAPI identity and map it to a LDAP lookup. I have arranged for users to be synchronised using the Windows Sync and am trying to match on uid=<samAccountName>,OU=People,DC=example,DC=com for the user. From the debug logs I am not sure that the DS is doing the GSSAPI look or executing the maps but I get permission denied response with 'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the primary message. I am not sure where to look next unless what I need to do is to add some acl's for the users currently I just want to get LDAPSEARCH working with Kerberos. Howard. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070420/1ea261d2/attachment.html
