Hello Dan, Sorry for my ignorance on openldap GSSAPI mechanism, and just now, I tried and I think I found why.
On another machine, I need to config the realms in /etc/krb5.conf, so the machine knows where the kdc is. After that, I ran "kinit user", and then ldapsearch worked fine. Thank you a lot for your reply. On Thu, Feb 11, 2010 at 12:38 PM, Dan White <[email protected]> wrote: > On 10/02/10 23:41 -0600, huican ping wrote: >> >> This is a dummy question. I just newly contacted with sasl+krb5 with >> ldap. Can anyone else kindly people tell me how to make ldapsearch >> working from other machine? E.g, what kind of setup/procedure I should >> do on the other machine before I can do ldapsearch with gssapi >> effectively? > > http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/OpenLdapSaslGssapi > >> Output when run on the different machine >> ============================= >> /tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001 >> -Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)' >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information >> (Unknown code krb5 7) > > I don't know what "Unknown code krb5 7" means, but I would make sure: > > You have a local credentials cache (klist) > You have received a ticket for the LDAP service pricipal > You are referencing the server using the same name as its service principal > You have forward and reverse DNS setup for both the server and client > > I'm guessing that '-h 10.230.34.88' is incorrect. I would recommend > referencing the server by DNS name, unless the server really is using a > service principal with that IP address. > > -- > Dan White >
