On Mon, Feb 18, 2013 at 3:33 PM, Dan White dwhite@olp.net wrote:
You have the necessary sasl components installed to support gssapi authentication. To verify that your AD server supports gssapi:
ldapsearch -LLL -x -H ldap://ad.example.org -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5
See the FAQ entry "How do I configure OpenLDAP+SASL+GSSAPI" here (the client side details should still apply):
On 02/19/13 11:31 +0100, Michele wrote:
Ok I've tried that and my AD server supports all mechanism you listed above. The problem is that I'm compiling a client application and I'd like to use GSSAPI mechanism, but when I compile OpenLDAP I'm not sure if it is compiling also the GSSAPI stuff. Also when I try to connect my client to my AD server it says that no mechanism are available.
Compiling in SASL support should be sufficient.
One way to trouble shoot is to use the provided ldap utilities to verify gssapi authentication before trouble shooting your client application.
~$ kinit dan@AD.DOMAIN dan@AD.COM's Password: ~$ ldapwhoami -Y GSSAPI -H ldap://ldap.ad.domain SASL/GSSAPI authentication started SASL username: dan@AD.DOMAIN SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Regardless of the error above (Active Directory 2003 apparently does not support the whoami extended operation), this is a successful authentication (you would see a bind error otherwise).
~$ klist Credentials cache: FILE:/tmp/krb5cc_1005 Principal: dan@AD.DOMAIN
Issued Expires Principal Feb 19 08:30:38 Feb 19 18:30:38 krbtgt/AD.DOMAIN@AD.DOMAIN Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@ Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@AD.DOMAIN