On 30/06/11 09:47 -0700, yen nguyen wrote:
Yes. My client system is connected to the domain. I was able to obtain a valid ticket from the AD system. The kinit command ran ok. kinit user1@TEST.COM
I even ran gssclient and it ran ok with no error. gssclient -port 389 MPSD-EB01T3 LDAP/MPSD-EB01T3.TEST.COM hello
The DN of my AD should be TEST.COM
So what else do I need to do on the client system to use OpenLDAP client tools with -Y GSSAPI option ? Is there a ldap.conf configuration for windows openldap client tools?
You need to have a Cyrus SASL GSSAPI mechanism installed on your client system, which OpenLDAP uses to perform the necessary GSSAPI authentication with the server.
If you have 'pluginviewer' available on your system, it will tell you which sasl mechanisms you have available. For Cyrus documentation on windows builds, see:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/windows.php
Date: Thu, 30 Jun 2011 16:17:44 +0100 From: andrew.findlay@skills-1st.co.uk To: nhan_yen@hotmail.com CC: openldap-technical@openldap.org Subject: Re: How to configure OpenLdap Client to work with Windows Active Directory
On Wed, Jun 29, 2011 at 05:41:26PM -0700, yen nguyen wrote:
Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/ software I need to do on the client side?
GSSAPI is normally a carrier for Kerberos tickets, so for this to work you will need to obtain a valid ticket for the AD service. This will involve connecting your client system to the Kerberos domain managed by the AD system.
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
Without the -D and -w (or -W) options, this is just anonymous (un-authenticated) access.
You can certainly use the OpenLDAP client tools with AD using simple authentication. The main problem is to find out what the DN of your AD account actually is.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |