Hi, Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/software I need to do on the client side?
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
I know Windows 2008 AD support GSSAPI.
ldapsearch -H ldap://MPSD-EB01T3/ -xLLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5
Now I tried to use GSSAPI and it failed. Is there anything special setting I need to do on the client side to make it work?
ldapsearch -H ldap://MPSD-EB01T3/ -b "cn=user1,dc=test,dc=com" -W -U user1 -Y GSSAPI -d 3
ldap_url_parse_ext(ldap://MPSD-EB01T3/) ldap_create ldap_url_parse_ext(ldap://MPSD-EB01T3:389/??base) ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP MPSD-EB01T3:389 ldap_new_socket: 392 ldap_prepare_socket: 392 ldap_connect_to_host: Trying 192.168.1.30:389 ldap_pvt_connect: fd: 392 tm: -1 async: 0 ldap_int_sasl_open: host=MPSD-EB01T3 ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Unable to find a calback: 2
On Wed, Jun 29, 2011 at 05:41:26PM -0700, yen nguyen wrote:
Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/ software I need to do on the client side?
GSSAPI is normally a carrier for Kerberos tickets, so for this to work you will need to obtain a valid ticket for the AD service. This will involve connecting your client system to the Kerberos domain managed by the AD system.
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
Without the -D and -w (or -W) options, this is just anonymous (un-authenticated) access.
You can certainly use the OpenLDAP client tools with AD using simple authentication. The main problem is to find out what the DN of your AD account actually is.
Andrew
Yes. My client system is connected to the domain. I was able to obtain a valid ticket from the AD system. The kinit command ran ok. kinit user1@TEST.COM
I even ran gssclient and it ran ok with no error. gssclient -port 389 MPSD-EB01T3 LDAP/MPSD-EB01T3.TEST.COM hello
The DN of my AD should be TEST.COM
So what else do I need to do on the client system to use OpenLDAP client tools with -Y GSSAPI option ? Is there a ldap.conf configuration for windows openldap client tools?
Thanks, Tony
Date: Thu, 30 Jun 2011 16:17:44 +0100 From: andrew.findlay@skills-1st.co.uk To: nhan_yen@hotmail.com CC: openldap-technical@openldap.org Subject: Re: How to configure OpenLdap Client to work with Windows Active Directory
On Wed, Jun 29, 2011 at 05:41:26PM -0700, yen nguyen wrote:
Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/ software I need to do on the client side?
GSSAPI is normally a carrier for Kerberos tickets, so for this to work you will need to obtain a valid ticket for the AD service. This will involve connecting your client system to the Kerberos domain managed by the AD system.
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
Without the -D and -w (or -W) options, this is just anonymous (un-authenticated) access.
You can certainly use the OpenLDAP client tools with AD using simple authentication. The main problem is to find out what the DN of your AD account actually is.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
On 30/06/11 09:47 -0700, yen nguyen wrote:
Yes. My client system is connected to the domain. I was able to obtain a valid ticket from the AD system. The kinit command ran ok. kinit user1@TEST.COM
I even ran gssclient and it ran ok with no error. gssclient -port 389 MPSD-EB01T3 LDAP/MPSD-EB01T3.TEST.COM hello
The DN of my AD should be TEST.COM
So what else do I need to do on the client system to use OpenLDAP client tools with -Y GSSAPI option ? Is there a ldap.conf configuration for windows openldap client tools?
You need to have a Cyrus SASL GSSAPI mechanism installed on your client system, which OpenLDAP uses to perform the necessary GSSAPI authentication with the server.
If you have 'pluginviewer' available on your system, it will tell you which sasl mechanisms you have available. For Cyrus documentation on windows builds, see:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/windows.php
Date: Thu, 30 Jun 2011 16:17:44 +0100 From: andrew.findlay@skills-1st.co.uk To: nhan_yen@hotmail.com CC: openldap-technical@openldap.org Subject: Re: How to configure OpenLdap Client to work with Windows Active Directory
On Wed, Jun 29, 2011 at 05:41:26PM -0700, yen nguyen wrote:
Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/ software I need to do on the client side?
GSSAPI is normally a carrier for Kerberos tickets, so for this to work you will need to obtain a valid ticket for the AD service. This will involve connecting your client system to the Kerberos domain managed by the AD system.
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
Without the -D and -w (or -W) options, this is just anonymous (un-authenticated) access.
You can certainly use the OpenLDAP client tools with AD using simple authentication. The main problem is to find out what the DN of your AD account actually is.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
openldap-technical@openldap.org
-
Andrew Findlay -
Dan White -
yen nguyen