Actually I'm a putz, What I was trying to do would never have worked! authentication against LDAP using GSSAPI requires the user to have already signed into a kerberos realm and have a token. In my setup, that token was not available (the user never signs in), hence it'd never work.
Giving user's passwords in ldap itself works until I organise the kerberos login stuff. Jamie On Sep 25, 1:24 am, [EMAIL PROTECTED] wrote: > Hello all, > > I have an openldap server that successfully authenticates against a > kerberos setup: > > [EMAIL PROTECTED] ~]$ ldapwhoami -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: [EMAIL PROTECTED] > SASL SSF: 56 > SASL installing layers > dn:uid=jamie,ou=people,dc=example,dc=com > Result: Success (0) > > When I do not put -Y GSSAPI in, I get: > > [EMAIL PROTECTED] ~]$ ldapwhoami > ldap_sasl_interactive_bind_s: No such object (32) > > Is it possible to force the client or server to use GSSAPI for > authentication, so I don't need to write it every time. In my > slapd.conf file I have: > > TLSCertificateFile /etc/openldap/cacerts/newcert.pem > TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem > ... > sasl-secprops noanonymous,noplain,noactive > saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid= > $1,ou=people,dc=example,dc=com > > In particular this sasl-secprops is (according to the website I > pilfered that line off) in theory will force the use of GSSAPI, but in > practice it doesn't. > > The reason I wish to force GSSAPI is to make a java app I need to > interoperate with use the right mechanism (i.e. GSSAPI), and hence > authenticate against kerberos via LDAP rather than authenticate > against ldap only. > > Thanks for any help. > Jamie ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
