ldapsearch with debugging enabled and see what it's doing :-
[root@localhost tools]# ./ldapsearch -Y GSSAPI -d 1 ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=localhost.localdomain ldap_perror ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
Thanks, Sanjay
----- Original Message ---- From: Buchan Milne bgmilne@staff.telkomsa.net To: openldap-software@openldap.org Cc: sanjay gupta sanjay_cs1983@yahoo.com Sent: Monday, January 7, 2008 1:29:22 PM Subject: Re: LDAP Client & Server with Kerberos
On Friday 04 January 2008 16:46:40 sanjay gupta wrote:
Hello,
I have done default compilation for openldap-2.3.38 now trying to run
ldap
client (ldapsearch) with Kerberos so that ldap client can use session ticket to perform the LDAP lookup on LDAP server.Please let me know
what
required to make ldap client work with kerberos.
I did not see any option to compile & build openldap lib with
kerberos
support & when I do ldapsearch with -K option it shows error
"ldapsearch:
not compiled with Kerberos support".
$ ldapsearch
(specifically no -x flag, as you want SASL).
should be sufficient, assuming all your configuration is correct, you have a ticket, and the LDAP server has a keytab for ldap/$hostname, where you are connecting to '$hostname' (in your ldap.conf, or via -h $hostname).
Of course, some logging output from your LDAP server, and the KDCs the LDAP server and LDAP clients are configured to use would help.
Please suggest me the right way to do ldapsearch with kerberos
support or
what client & server command line option required to run it with
kerberos.
Without -x, ldapsearch will use SASL. Additionally, ldapsearch will try and do the most appropriate thing, with a ticket, if your LDAP server has GSSAPI available (and avertised as one of the supportedSASLMechanisms)
Regards, Buchan
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
On Monday 07 January 2008 10:06:40 sanjay gupta wrote:
ldapsearch with debugging enabled and see what it's doing :-
Well, debuggins is unnecessary, as the normal output provides everything useful ...
[root@localhost tools]# ./ldapsearch -Y GSSAPI -d 1 ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=localhost.localdomain ldap_perror ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
If you provide more information (OS/distro etc.) you may get more help, but most likely the SASL GSSAPI plugin is not installed. On some Linux distributions, SASL plugins are shipped as separate packages, 'yum search sasl' or 'apt-cache search sasl' or 'urpmq -y sasl' may lead you to the right package to install.
Regards. Buchan
--On January 7, 2008 12:06:40 AM -0800 sanjay gupta sanjay_cs1983@yahoo.com wrote:
ldapsearch with debugging enabled and see what it's doing :-
[root@localhost tools]# ./ldapsearch -Y GSSAPI -d 1 ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=localhost.localdomain ldap_perror ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
SASL mechanism support is determined by what mechanisms Cyrus-sasl has available to it. Install the appropriate SASL mechansisms package on your particular distribution, or if you are building it yourself, make sure you've built cyrus-sasl against a Kerberos implementation.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On January 7, 2008 12:06:40 AM -0800 sanjay gupta sanjay_cs1983@yahoo.com wrote:
ldapsearch with debugging enabled and see what it's doing :-
[root@localhost tools]# ./ldapsearch -Y GSSAPI -d 1 ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=localhost.localdomain ldap_perror ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
SASL mechanism support is determined by what mechanisms Cyrus-sasl has available to it. Install the appropriate SASL mechansisms package on your particular distribution, or if you are building it yourself, make sure you've built cyrus-sasl against a Kerberos implementation.
Sanjay,
The cyrus sasl pluginviewer (called saslpluginviewer on my system) will list the installed plugins. You should see a client side plugin implementing the GSSAPI mechanism if you have sasl compiled for GSSAPI and installed correctly.
Also, however unlikely, you may have configured a sasl service file explicitly defining (restricting) which SASL mechanisms to use. On my system, that file is /usr/lib/sasl2/slapd.conf. You can specify the mechanisms to use using a statement like:
mech_list: GSSAPI DIGEST-MD5 PLAIN
If not specified, I believe all server side mechanisms are offered by default.
- Dan White BTC Broadband
On Jan 7, 2008, at 12:06 AM, sanjay gupta wrote:
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
Do you have other services at your site that authenticate with Kerberos? The software may be ready to go, but you'll still need an "ldap" service principal, in a keytab. You might need some configuration for domain/realm mapping, depending on the DNS situation.
Little of this stuff will appear in the LDAP logs, even with debugging on, because it's buried in a SASL layer that's designed to confuse the issue. It might be better, if slapd doesn't work right away, to experiment with a sample server and client like the "gss-server" that comes with the Kerberos distribution. Pay attention to what keys you have for the server (as root, klist -k), tickets you acquire during the experiment (klist), requests to the Kerberos KDC (syslog local3), file access times to krb5.keytab and krb5.conf.
Donn Cave, donn@u.washington.edu
--On January 7, 2008 9:11:56 AM -0800 Donn Cave donn@u.washington.edu wrote:
On Jan 7, 2008, at 12:06 AM, sanjay gupta wrote:
It seems that LDAP server has not GSSAPI available.
So how can we add GSSAPI support in LDAP server for making it work??
Given that SASL/GSSAPI isn't listed as one of the supported mechanisms by the LDAP server, they are not anywhere along far enough to be able to use the helpful advice you've offered. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Buchan Milne -
Dan White -
Donn Cave -
Quanah Gibson-Mount -
sanjay gupta