On 10/02/10 23:41 -0600, huican ping wrote:
This is a dummy question. I just newly contacted with sasl+krb5 with ldap. Can anyone else kindly people tell me how to make ldapsearch working from other machine? E.g, what kind of setup/procedure I should do on the other machine before I can do ldapsearch with gssapi effectively?
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
Output when run on the different machine
/tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7)
I don't know what "Unknown code krb5 7" means, but I would make sure:
You have a local credentials cache (klist) You have received a ticket for the LDAP service pricipal You are referencing the server using the same name as its service principal You have forward and reverse DNS setup for both the server and client
I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend referencing the server by DNS name, unless the server really is using a service principal with that IP address.