Re: [389-users] MIT Kerberos and FDS integration

Rich Megginson <rmeggins@xxxxxxxxxx> · Mon, 20 Jul 2009 07:31:25 -0600

John Robert Mendoza wrote:
Actually i use the

#/usr/lib/mozldap/ldapsearch

There is no option for the -Y.

I can bind using GSSAPI by this command

#/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=*

That's the same as using /usr/bin/ldapsearch with -Y GSSAPI

If you use klist, do you see your correct principal with the correct 
expiration?

and it outputs this error

ldapsearch: started Mon Jul 20 16:33:07 2009

ldap_init( localhost, 389 )
Bind Error: Invalid credentials
Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Permission denied)

Check the directory server access and error logs for more information.

You might need to configure the SASL mapping.  In order to do a 
SASL/GSSAPI BIND to the directory server, you must have a real entry in 
the directory server that corresponds to your Kerberos principal.  That 
is, you must configure the directory server to map richm@xxxxxxxxxxx 
(the Kerberos principal) to uid=richm,ou=people,dc=example,dc=com (the 
LDAP entry).  This is done with SASL mapping.
http://directory.fedoraproject.org/wiki/Howto:Kerberos

Thanks for your reply.

John Robert Mendoza

--- On *Mon, 7/20/09, Andrey Ivanov 
/<andrey.ivanov@xxxxxxxxxxxxxxxx>/* wrote:

    From: Andrey Ivanov <andrey.ivanov@xxxxxxxxxxxxxxxx>
    Subject: Re: [389-users] MIT Kerberos and FDS integration
    To: "General discussion list for the 389 Directory server
    project." <fedora-directory-users@xxxxxxxxxx>
    Date: Monday, 20 July, 2009, 2:06 PM

    Hi,

    kinit myusername
    ldapsearch -Y GSSAPI -h ldap.example.com -b "<your suffix>"
    objectClass=*
    SASL/GSSAPI authentication started
    SASL username: <myusername>@KERBEROS.REALM
    SASL SSF: 56
    SASL installing layers
    # extended LDIF
    #
    # LDAPv3
    # base <your suffix> with scope subtree
    # filter:  objectClass=*
    # requesting: ALL
    #
    ...

    2009/7/20 John Robert Mendoza <jrobertm8@xxxxxxxxx
    </mc/compose?to=jrobertm8@xxxxxxxxx>>:
    > Hi to all!
    >
    > I am currently setting up an integration with the FDS and Kerberos.
    >
    > I have successfully setup both independently and verified them
    to be working
    > independently.
    >
    > How do I know that I have successfully binded FDS and kerberos.
    > How can i verify it.
    >
    > I am using Fedora 1.2.0 and Kerberos 1.6.3...
    >
    >
    > John Robert Mendoza
    > ________________________________
    > What can we do to improve Metro Manila traffic?
    > Find the answers on Yahoo! Answers
    > --
    > 389 users mailing list
    > 389-users@xxxxxxxxxx </mc/compose?to=389-users@xxxxxxxxxx>
    > https://www.redhat.com/mailman/listinfo/fedora-directory-users
    >
    >

    --
    389 users mailing list
    389-users@xxxxxxxxxx </mc/compose?to=389-users@xxxxxxxxxx>
    https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------
Importing contacts has never been easier.. 
<http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph> 

Bring your friends over to Yahoo! Mail today!
------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users