<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Richard Megginson wrote:
<blockquote cite="mid4628C67B.5020404@redhat.com" type="cite">Howard
Wilkinson wrote:
<br>
<blockquote type="cite">I am new to Fedora DS and have installed
1.0.4 onto a Fedora Core 6 (+ enhancements) build. I have built the
install using the dsbuild operation and all seems to be working. I can
authenticate to the system using the 'admin' user and the "CN=Directory
Manager" identity. I have SSL working and now want to use our Kerberos
environment to provide SSO to the server.
<br>
<br>
Our Kerberos environment is based on an AD KDC and is supporting other
application successfully. We have created the 'ldap/...' service
principal and imported it into the system keytab.
<br>
<br>
First test with ldapsearch using GSSAPI fails with permission denied
from the GSSAPI function. So I thought I would try the mapping facility
as documented in the administration manual and set up to map the
Kerberos identity to the correct search DN for the AD. As we only have
the one Domain/Forest I set up a simple map that takes any name and
maps to this DN. I then set up a referral inside the DS to point to the
AD controllers in the hope that this would activate the necessary
logic. No joy.
<br>
<br>
Looking in the code for 'saslbind.c' it looks like the code only allows
for locally registered users. If I am reading this right does this mean
my next step is to remove the referral and add a replica for the AD
into my DS using the procedure outlined in the Administration Guide
section "Windows Sync".
<br>
</blockquote>
Yes. I believe you have to have an entry associated with the principal
in Fedora DS. So yes, you will have to sync your user information from
AD to Fedora DS.
<br>
<blockquote type="cite">In doing this will I have then enabled
GSSAPI/Kerberos authentication or will I still be missing something? If
I do this will I be causing problems in the future with other parts of
the AD as I want to get referrals when the data is not held in the DS?
<br>
</blockquote>
Well, it depends. What are you using Fedora DS for? Are you just
using it as an authentication gateway to AD? If so, then you could
probably just use something like pam_winbindd and skip Fedora DS
altogether.
<br>
<blockquote type="cite">(Given that I will be syncing users (and
groups?) only). I can use OU trees for this and tie the referrals there
of course but then I will need to sync the entire CN=Users tree.
<br>
<br>
I understand that I will need to create a separate DIT (root) for the
AD data to ensure that I can sync to multiple domains in the future, is
this correct?
<br>
</blockquote>
I'm not really sure. Can you explain more about your topology and how
you want to use Fedora DS?
<br>
<blockquote type="cite"><br>
Any advice or even a description of the set of steps that will make
this dance work would be much appreciated.
<br>
-- <br>
<br>
Howard Wilkinson
<br>
<br>
<br>
<br>
Phone:
<br>
<br>
<br>
<br>
+44(20)76907075
<br>
<br>
Coherent Technology Limited
<br>
<br>
<br>
<br>
Fax:
<br>
<br>
<br>
<br>
<br>
<br>
23 Northampton Square,
<br>
<br>
<br>
<br>
Mobile:
<br>
<br>
<br>
<br>
+44(7980)639379
<br>
<br>
United Kingdom, EC1V 0HL
<br>
<br>
<br>
<br>
Email:
<br>
<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------
<br>
<br>
--
<br>
Fedora-directory-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
<br>
</blockquote>
<pre wrap="">
<hr size="4" width="90%">
--
Fedora-directory-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
</pre>
</blockquote>
Richard,<br>
<br>
I am implementing the Fedora DS to provide data from other domains than
my AD. So I have other roots in the Directory Store already. I also
will be storing additional information for users in the DS to support
RADIUS and other applications. However our primary authentication store
is on Windows 2003 using the KDC. I have users who have Kerberos
tickets granted and can do GSSAPI exchanges with the AD to retrieve
LDAP results. The DS has a map which I believe should take a
Kerberos/GSSAPI identity and map it to a LDAP lookup. I have arranged
for users to be synchronised using the Windows Sync and am trying to
match on uid=<samAccountName>,OU=People,DC=example,DC=com for the
user.<br>
<br>
>From the debug logs I am not sure that the DS is doing the GSSAPI look
or executing the maps but I get permission denied response with
'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the primary
message.<br>
<br>
I am not sure where to look next unless what I need to do is to add
some acl's for the users currently I just want to get LDAPSEARCH
working with Kerberos.<br>
<br>
Howard.<br>
<br>
<br>
<div class="moz-signature">-- <br>
<title>Signature</title>
<div class="Section1">
<table class="MsoNormalTable" style="width: 100%;" border="0"
cellpadding="0" width="100%">
<tbody>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Howard Wilkinson</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Phone:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">+44(20)76907075</p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Coherent Technology Limited</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Fax:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"> </p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">23 Northampton Square,</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Mobile:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">+44(7980)639379</p>
</td>
</tr>
<tr style="">
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">United Kingdom, EC1V 0HL</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal">Email:</p>
</td>
<td style="padding: 1.5pt;" valign="top">
<p class="MsoNormal"><a name="howardcohtech.com"></a><a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> </p>
</div>
</div>
</body>
</html>