John Robert Mendoza wrote: > Actually i use the > > #/usr/lib/mozldap/ldapsearch > > There is no option for the -Y. > > I can bind using GSSAPI by this command > > #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=* > That's the same as using /usr/bin/ldapsearch with -Y GSSAPI If you use klist, do you see your correct principal with the correct expiration? > > and it outputs this error > > ldapsearch: started Mon Jul 20 16:33:07 2009 > > ldap_init( localhost, 389 ) > Bind Error: Invalid credentials > Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Permission denied) > Check the directory server access and error logs for more information. You might need to configure the SASL mapping. In order to do a SASL/GSSAPI BIND to the directory server, you must have a real entry in the directory server that corresponds to your Kerberos principal. That is, you must configure the directory server to map richm at EXAMPLE.COM (the Kerberos principal) to uid=richm,ou=people,dc=example,dc=com (the LDAP entry). This is done with SASL mapping. http://directory.fedoraproject.org/wiki/Howto:Kerberos > > Thanks for your reply. > > > > > John Robert Mendoza > > --- On *Mon, 7/20/09, Andrey Ivanov > /<andrey.ivanov at polytechnique.fr>/* wrote: > > > From: Andrey Ivanov <andrey.ivanov at polytechnique.fr> > Subject: Re: [389-users] MIT Kerberos and FDS integration > To: "General discussion list for the 389 Directory server > project." <fedora-directory-users at redhat.com> > Date: Monday, 20 July, 2009, 2:06 PM > > Hi, > > > kinit myusername > ldapsearch -Y GSSAPI -h ldap.example.com -b "<your suffix>" > objectClass=* > SASL/GSSAPI authentication started > SASL username: <myusername>@KERBEROS.REALM > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base <your suffix> with scope subtree > # filter: objectClass=* > # requesting: ALL > # > ... > > > > 2009/7/20 John Robert Mendoza <jrobertm8 at yahoo.com > </mc/compose?to=jrobertm8 at yahoo.com>>: > > Hi to all! > > > > I am currently setting up an integration with the FDS and Kerberos. > > > > I have successfully setup both independently and verified them > to be working > > independently. > > > > How do I know that I have successfully binded FDS and kerberos. > > How can i verify it. > > > > I am using Fedora 1.2.0 and Kerberos 1.6.3... > > > > > > John Robert Mendoza > > ________________________________ > > What can we do to improve Metro Manila traffic? > > Find the answers on Yahoo! Answers > > -- > > 389 users mailing list > > 389-users at redhat.com </mc/compose?to=389-users at redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com </mc/compose?to=389-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > Importing contacts has never been easier.. > <http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph> > > Bring your friends over to Yahoo! Mail today! > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090720/4e75e97a/attachment.bin
