Brian Candler wrote:
Hello,
I'm setting up an openldap server for Kerberos (GSSAPI) authentication only. I'm using slapd-2.4.21 from Ubuntu 10.04.1.
It's basically working, and I had to do very little other than change export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.
However, there are a couple of strange things which I wonder if someone could help me with.
(1) According to the documentation at http://www.openldap.org/doc/admin24/sasl.html#GSSAPI then the authentication DN should be uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
However, running slapd in debug mode I see the cn=<realm> is missing.
That's normal. The SASL library doesn't provide the realm name when it is equal to the default realm. This has been true of Cyrus SASL for probably the past dozen years. Read the Cyrus SASL documentation.
(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI explicitly. However if I omit it, the client picks DIGEST-MD5 instead (which isn't much use, since I have no passwords in the database)
Configure a sasl/slapd.conf with the options you want. Read the Cyrus SASL documentation.