Hello all,
I've been pulling hair out in tufts over the last week trying to get OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines (AMD64). I've spent hours searching the mailing lists and Google. All I could find were messages from several years ago admonishing people for not searching, or questions with no answers.
Anyway, I finally got it, which leads to my question below.
First, this machine is SLES9, Service Pack Three. SuSE provides the Heimdal Kerberos implementation. It also has Cyrus SASL. For some strange reason, the OpenLDAP packages SuSE supplies for SLES9 do not have Kerberos compiled in, so I went and grabbed the openldap-2.3.35 tarball and set about trying to build it.
The biggest problem is the configure script completely ignores the -with-kerberos option. Completely. I've searched, and I can't find any mention of why this is.
Starting at line 18,158 in the configure script, I found this block:
----
ol_link_kbind=no
ol_link_krb5=no
ol_link_krb4=no
case $ol_with_kerberos in yes | auto | k5 | k5only | k425)
----
Changing "ol_link_krb5" to "yes" had no effect. But changing "ol_link_krb5" to "yes" AND adding the line "ol_with_kerberos=yes" right above the case statement got the configure script to actually start looking for Kerberos libraries and headers. After that, it was just a matter of setting the right CCFLAGS and LDFLAGS environment variables so configure could find the headers and libraries. Once all that was in place, it built like a champ and seems to be working.
So my question is, why does "-with-kerberos" not work anymore? Is this a conscious decision, or a bug?
Thanks!
Andrew Scott
Louisville, KY
--On Tuesday, April 17, 2007 4:22 PM -0400 Andrew Scott ascott@appriss.com wrote:
Hello all,
I've been pulling hair out in tufts over the last week trying to get OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines (AMD64). I've spent hours searching the mailing lists and Google. All I could find were messages from several years ago admonishing people for not searching, or questions with no answers.
The biggest problem is the configure script completely ignores the –with-kerberos option. Completely. I've searched, and I can't find any mention of why this is.
I think you are extremely confused. :)
Why would you want to link OpenLDAP against the kerberos libraries? Usually all the kerberos negotations are handled via Cyrus-SASL, which is what is linked against Heimdal (or MIT), not OpenLDAP. There is *no* option in the configure for OpenLDAP 2.3.35 that references kerberos at all:
ldap-uat00:/usr/local/build/openldap-2.3.35# ./configure --help | grep kerberos
What you are seeing are the remnants of the very old "kbind" stuff that was never part of any LDAP standard, was really only related to LDAP v2, and was completely replaced by the SASL/KERBEROSIV and SASL/GSSAPI mechanisms handled by SASL.
Does that help? :)
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Confused is a very apt description of what I am right now.
I'm wading through the nightmare that is getting Linux machines to auth with Kerberos to Active Directory, and using OpenLDAP to do user/group lookups instead of Winbind.
I started down the road of getting Kerberos support compiled in because ldapsearch would not auth using gssapi. Sorting through all the documentation, I found the -k option, and set about getting that to work.
-k still doesn't work, because I didn't compile kbind in, but after doing what I did below, I ended up with an ldapsearch that WOULD auth via SASL/GSS. Simply doing the default build left me with an ldapsearch utility that I couldn't use to search AD.
Now, if there is a better way for me to get there than the way I went, I would be absolutely delighted to be spun around and pointed in the correct direction.
Thanks! Andrew -----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@stanford.edu] Sent: Tuesday, April 17, 2007 5:21 PM To: Andrew Scott; openldap-software@openldap.org Subject: Re: Building OpenLDAP 3.3.35 with Kerberos on SLES9
--On Tuesday, April 17, 2007 4:22 PM -0400 Andrew Scott ascott@appriss.com wrote:
Hello all,
I've been pulling hair out in tufts over the last week trying to get OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines (AMD64). I've spent hours searching the mailing lists and Google.
All
I could find were messages from several years ago admonishing people
for
not searching, or questions with no answers.
The biggest problem is the configure script completely ignores the -with-kerberos option. Completely. I've searched, and I can't find any mention of why this is.
I think you are extremely confused. :)
Why would you want to link OpenLDAP against the kerberos libraries? Usually all the kerberos negotations are handled via Cyrus-SASL, which is what is linked against Heimdal (or MIT), not OpenLDAP. There is *no* option in the configure for OpenLDAP 2.3.35 that references kerberos at all:
ldap-uat00:/usr/local/build/openldap-2.3.35# ./configure --help | grep kerberos
What you are seeing are the remnants of the very old "kbind" stuff that was never part of any LDAP standard, was really only related to LDAP v2, and
was completely replaced by the SASL/KERBEROSIV and SASL/GSSAPI mechanisms handled by SASL.
Does that help? :)
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--On Tuesday, April 17, 2007 5:29 PM -0400 Andrew Scott ascott@appriss.com wrote:
Confused is a very apt description of what I am right now.
I'm wading through the nightmare that is getting Linux machines to auth with Kerberos to Active Directory, and using OpenLDAP to do user/group lookups instead of Winbind.
I started down the road of getting Kerberos support compiled in because ldapsearch would not auth using gssapi. Sorting through all the documentation, I found the -k option, and set about getting that to work.
-k still doesn't work, because I didn't compile kbind in, but after doing what I did below, I ended up with an ldapsearch that WOULD auth via SASL/GSS. Simply doing the default build left me with an ldapsearch utility that I couldn't use to search AD.
Right, -k was specific to the old Kerberos v4 kbind functionality, and would never have allowed you to do a SASL/GSSAPI bind to AD anyway. ;)
It sounds like the default build on SuSE just misses compiling Cyrus SASL against Heimdal. As long as you compile the *same* version of Cyrus SASL against Heimdal, you likely don't even need to rebuild OpenLDAP, assuming a dynamic build -- OpenLDAP simply calls out to Cyrus SASL to find out what mechanisms are available (hint, see the -Y flag to ldapsearch).
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Tuesday 17 April 2007 23:33, Quanah Gibson-Mount wrote:
--On Tuesday, April 17, 2007 5:29 PM -0400 Andrew Scott
ascott@appriss.com wrote:
Confused is a very apt description of what I am right now.
I'm wading through the nightmare that is getting Linux machines to auth with Kerberos to Active Directory, and using OpenLDAP to do user/group lookups instead of Winbind.
I started down the road of getting Kerberos support compiled in because ldapsearch would not auth using gssapi. Sorting through all the documentation, I found the -k option, and set about getting that to work.
-k still doesn't work, because I didn't compile kbind in, but after doing what I did below, I ended up with an ldapsearch that WOULD auth via SASL/GSS. Simply doing the default build left me with an ldapsearch utility that I couldn't use to search AD.
Right, -k was specific to the old Kerberos v4 kbind functionality, and would never have allowed you to do a SASL/GSSAPI bind to AD anyway. ;)
It sounds like the default build on SuSE just misses compiling Cyrus SASL against Heimdal.
No. But the SASL gssapi plugin is packed in a separate subpackage. I guess that the cyrus-sasl-gssapi package was not installed on the machine.
openldap-software@openldap.org
-
Andrew Scott -
Quanah Gibson-Mount -
Ralf Haferkamp