Hello,
I have done default compilation for openldap-2.3.38 now trying to run ldap client (ldapsearch) with Kerberos so that ldap client can use session ticket to perform the LDAP lookup on LDAP server.Please let me know what required to make ldap client work with kerberos.
I did not see any option to compile & build openldap lib with kerberos support & when I do ldapsearch with -K option it shows error "ldapsearch: not compiled with Kerberos support".
Please suggest me the right way to do ldapsearch with kerberos support or what client & server command line option required to run it with kerberos.
Thanks, Sanjay
-- Original Message ---- From: "openldap-software-confirm+c57aee62dadf6ea2552adc5fffb125daccf275e8@OpenLDAP.org" openldap-software-confirm+c57aee62dadf6ea2552adc5fffb125daccf275e8@OpenLDAP.org To: sanjay_cs1983@yahoo.com Sent: Friday, January 4, 2008 6:17:10 PM Subject: Your confirmation is required to join the openldap-software mailing list
Mailing list subscription confirmation notice for mailing list openldap-software
We have received a request from 202.153.43.18 for subscription of your email address, "sanjay_cs1983@yahoo.com", to the openldap-software@openldap.org mailing list. To confirm that you want to be added to this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page:
http://www.openldap.org/lists/mm/confirm/openldap-software/c57aee62dadf6ea25...
Or include the following line -- and only the following line -- in a message to openldap-software-request@openldap.org: confirm c57aee62dadf6ea2552adc5fffb125daccf275e8
Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional "Re:" text in the Subject: is okay).
If you do not wish to be subscribed to this list, please simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, send them to openldap-software-owner@openldap.org.
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
sanjay gupta skrev, on 04-01-2008 15:46:
I have done default compilation for openldap-2.3.38 now trying to run ldap client (ldapsearch) with Kerberos so that ldap client can use session ticket to perform the LDAP lookup on LDAP server.Please let me know what required to make ldap client work with kerberos.
I did not see any option to compile & build openldap lib with kerberos support & when I do ldapsearch with -K option it shows error *"ldapsearch: not compiled with Kerberos support".
1: What do 'ldd ldapsearch' and 'ldd slapd' show? 2: What OS (and do not report Windows) and version are you using?
*Please suggest me the right way to do ldapsearch with kerberos support or what client & server command line option required to run it with kerberos.
Using Kerberos (V) with OpenLDAP 2.3 isn't simply a question of having Kerberos support built into binaries. You have to configure the whole Kerberos infrastructure for your chosen Kerberos realm and implement it before even thinking about incorporating that in LDAP. There are enough HOWTOs out there to show you how to do that - it's OT for this list.
Having done that, you can configure OpenLDAP to support a varying degree of KerberosV support. There are masses of HOWTOs, I've done it myself from them without ever asking a single question here or anywhere and got it working. I gave it up because there was no need for it on my systems, it was redundant. My systems do not at present need AD/Win23K support.
Best,
--Tonni '
On Jan 4, 2008, at 1:15 PM, Tony Earnshaw wrote:
sanjay gupta skrev, on 04-01-2008 15:46:
I have done default compilation for openldap-2.3.38 now trying to run ldap client (ldapsearch) with Kerberos so that ldap client can use session ticket to perform the LDAP lookup on LDAP server.Please let me know what required to make ldap client work with kerberos. I did not see any option to compile & build openldap lib with kerberos support & when I do ldapsearch with -K option it shows error *"ldapsearch: not compiled with Kerberos support".
1: What do 'ldd ldapsearch' and 'ldd slapd' show?
Actually don't think that's the immediate problem. I predict that your "ldapsearch -K" will print out the same error message, whether it's built with Kerberos support or not.
Current Kerberos support means SASL GSSAPI -- we're interested in the -Y option, not the -K option.
From there, of course it does need to be built with Kerberos support, as well as Cyrus SASL.
Donn Cave, donn@u.washington.edu
On Friday 04 January 2008 16:46:40 sanjay gupta wrote:
Hello,
I have done default compilation for openldap-2.3.38 now trying to run ldap client (ldapsearch) with Kerberos so that ldap client can use session ticket to perform the LDAP lookup on LDAP server.Please let me know what required to make ldap client work with kerberos.
I did not see any option to compile & build openldap lib with kerberos support & when I do ldapsearch with -K option it shows error "ldapsearch: not compiled with Kerberos support".
$ ldapsearch
(specifically no -x flag, as you want SASL).
should be sufficient, assuming all your configuration is correct, you have a ticket, and the LDAP server has a keytab for ldap/$hostname, where you are connecting to '$hostname' (in your ldap.conf, or via -h $hostname).
Of course, some logging output from your LDAP server, and the KDCs the LDAP server and LDAP clients are configured to use would help.
Please suggest me the right way to do ldapsearch with kerberos support or what client & server command line option required to run it with kerberos.
Without -x, ldapsearch will use SASL. Additionally, ldapsearch will try and do the most appropriate thing, with a ticket, if your LDAP server has GSSAPI available (and avertised as one of the supportedSASLMechanisms)
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
Donn Cave -
sanjay gupta -
Tony Earnshaw