> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael Str?der > Sent: Tuesday, March 17, 2009 8:20 PM > To: [email protected] > Subject: Re: SASL authentication > > First try to do a kinit with providing the password. After > that you could try using keytab files (on your LDAP client) > if needed in your setup.
The tutorial at http://aput.net/~jheiss/krbldap/howto.html said my SASL ldap bindingerror of "82 Local error" may be due to the lack of a service principle: ========================================================= ldap_sasl_interactive_bind_s: Local error ldap/hostname service principal not set up or your Kerberos ticket is expired ========================================================= I am a little bit confused about it. Does it mean either the ticket is absent or the ticket has expired? Is "ldap/hostname service principal" and "kerberos ticket" here the same thing? After kinit returns successfully, I can see there is a ticket in krb cache: ========================================================= MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/17/09 17:36:50 03/18/09 03:37:35 krbtgt/[email protected] renew until 03/18/09 17:36:50 ========================================================= Isn't this ticket the service principal needed? You can see the third column's caption is "Service principal". Is it the same as or different from the "ldap/hostname service principal" mentioned in the above? Suppose they are different, and as you told me, the keytab file (which contains the service principal of ldap/hostname) is used by LDAP client. But where should the keytab file be generated? Should the keytab file be created in Kerberos server or LDAP server? Could you teach me how to create this keytab file, as detailed as possible? Thanks, Xu Qiang ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
