On Jan 7, 2008, at 12:06 AM, sanjay gupta wrote:
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
Do you have other services at your site that authenticate with Kerberos? The software may be ready to go, but you'll still need an "ldap" service principal, in a keytab. You might need some configuration for domain/realm mapping, depending on the DNS situation.
Little of this stuff will appear in the LDAP logs, even with debugging on, because it's buried in a SASL layer that's designed to confuse the issue. It might be better, if slapd doesn't work right away, to experiment with a sample server and client like the "gss-server" that comes with the Kerberos distribution. Pay attention to what keys you have for the server (as root, klist -k), tickets you acquire during the experiment (klist), requests to the Kerberos KDC (syslog local3), file access times to krb5.keytab and krb5.conf.
Donn Cave, donn@u.washington.edu