Howard Wilkinson wrote:
Richard,
I am implementing the Fedora DS to provide data from other domains
than my AD. So I have other roots in the Directory Store already. I
also will be storing additional information for users in the DS to
support RADIUS and other applications. However our primary
authentication store is on Windows 2003 using the KDC. I have users
who have Kerberos tickets granted and can do GSSAPI exchanges with the
AD to retrieve LDAP results. The DS has a map which I believe should
take a Kerberos/GSSAPI identity and map it to a LDAP lookup. I have
arranged for users to be synchronised using the Windows Sync and am
trying to match on uid=<samAccountName>,OU=People,DC=example,DC=com
for the user.
>From the debug logs I am not sure that the DS is doing the GSSAPI
look or executing the maps but I get permission denied response with
'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the
primary message.
I am not sure where to look next unless what I need to do is to add
some acl's for the users currently I just want to get LDAPSEARCH
working with Kerberos.
I presume you've seen
http://directory.fedoraproject.org/wiki/Howto:Kerberos and
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
If it's still not working, then perhaps it's some sort of cross domain
trust issue.
Howard.
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
United Kingdom, EC1V 0HL
Email:
howard(a)cohtech.com
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users