Confused is a very apt description of what I am right now.
I'm wading through the nightmare that is getting Linux machines to auth
with Kerberos to Active Directory, and using OpenLDAP to do user/group
lookups instead of Winbind.
I started down the road of getting Kerberos support compiled in because
ldapsearch would not auth using gssapi. Sorting through all the
documentation, I found the -k option, and set about getting that to
-k still doesn't work, because I didn't compile kbind in, but after
doing what I did below, I ended up with an ldapsearch that WOULD auth
via SASL/GSS. Simply doing the default build left me with an ldapsearch
utility that I couldn't use to search AD.
Now, if there is a better way for me to get there than the way I went, I
would be absolutely delighted to be spun around and pointed in the
From: Quanah Gibson-Mount [mailto:email@example.com]
Sent: Tuesday, April 17, 2007 5:21 PM
To: Andrew Scott; openldap-software(a)openldap.org
Subject: Re: Building OpenLDAP 3.3.35 with Kerberos on SLES9
--On Tuesday, April 17, 2007 4:22 PM -0400 Andrew Scott
I've been pulling hair out in tufts over the last week trying to get
OpenLDAP 2.3.35 to build with Kerberos 5 support on a SLES9 machines
(AMD64). I've spent hours searching the mailing lists and Google.
I could find were messages from several years ago admonishing people
not searching, or questions with no answers.
The biggest problem is the configure script completely ignores the
-with-kerberos option. Completely. I've searched, and I can't
find any mention of why this is.
I think you are extremely confused. :)
Why would you want to link OpenLDAP against the kerberos libraries?
Usually all the kerberos negotations are handled via Cyrus-SASL, which
what is linked against Heimdal (or MIT), not OpenLDAP. There is *no*
option in the configure for OpenLDAP 2.3.35 that references kerberos at
ldap-uat00:/usr/local/build/openldap-2.3.35# ./configure --help | grep
What you are seeing are the remnants of the very old "kbind" stuff that
never part of any LDAP standard, was really only related to LDAP v2, and
was completely replaced by the SASL/KERBEROSIV and SASL/GSSAPI
handled by SASL.
Does that help? :)
Senior Systems Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html