hello All,
Finally I had the "openldap-2.2.5 + cyrus-sasl-2.1.23 + krb5-1.6.3" running on my AS5_64 machine. But now I can only do ldapsearch with GSSAPI on the same machine as the slapd and other suite running, if I ran it from other machine, then it failed with (Unknown code krb5 7). Of course, simple auth worked well.
This is a dummy question. I just newly contacted with sasl+krb5 with ldap. Can anyone else kindly people tell me how to make ldapsearch working from other machine? E.g, what kind of setup/procedure I should do on the other machine before I can do ldapsearch with gssapi effectively?
FYI, on the other machine, I had the same version of "cyrus+krb5+openldap" installed, so I think the "ldapsearch" links to the enough libraries to do sasl.
Output when run on the different machine ============================= /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7)
Run on the same machine, it seems working. ======================= /tmp_proj/test/cyrus-sasl-2.1.23/sample>kinit lablogin Password for lablogin@IC.ACME.COM:
/tmp_proj/test/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admina@iclab062.ic.acme.com -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started SASL username: lablogin@IC.ACME.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <sn=admin,ou=People,o=Acme> with scope sub # filter: (objectclass=*) # requesting: ALL #
# admin, People, Acme dn: sn=admin,ou=People,o=Acme objectClass: top objectClass: person objectClass: organizationalPerson userPassword:: e1NTSEF9bGZMNXZNNFR1T1VrSm51eVk3RGJWODJFUUpvYVRNWWY= cn: Administrator sn: admin
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1
On 10/02/10 23:41 -0600, huican ping wrote:
This is a dummy question. I just newly contacted with sasl+krb5 with ldap. Can anyone else kindly people tell me how to make ldapsearch working from other machine? E.g, what kind of setup/procedure I should do on the other machine before I can do ldapsearch with gssapi effectively?
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
Output when run on the different machine
/tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7)
I don't know what "Unknown code krb5 7" means, but I would make sure:
You have a local credentials cache (klist) You have received a ticket for the LDAP service pricipal You are referencing the server using the same name as its service principal You have forward and reverse DNS setup for both the server and client
I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend referencing the server by DNS name, unless the server really is using a service principal with that IP address.
Hello Dan,
Sorry for my ignorance on openldap GSSAPI mechanism, and just now, I tried and I think I found why.
On another machine, I need to config the realms in /etc/krb5.conf, so the machine knows where the kdc is. After that, I ran "kinit user", and then ldapsearch worked fine.
Thank you a lot for your reply.
On Thu, Feb 11, 2010 at 12:38 PM, Dan White dwhite@olp.net wrote:
On 10/02/10 23:41 -0600, huican ping wrote:
This is a dummy question. I just newly contacted with sasl+krb5 with ldap. Can anyone else kindly people tell me how to make ldapsearch working from other machine? E.g, what kind of setup/procedure I should do on the other machine before I can do ldapsearch with gssapi effectively?
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi
Output when run on the different machine
/tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7)
I don't know what "Unknown code krb5 7" means, but I would make sure:
You have a local credentials cache (klist) You have received a ticket for the LDAP service pricipal You are referencing the server using the same name as its service principal You have forward and reverse DNS setup for both the server and client
I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend referencing the server by DNS name, unless the server really is using a service principal with that IP address.
-- Dan White
openldap-software@openldap.org
-
Dan White -
huican ping