[Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO?

[Howard Wilkinson]

I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 (+ 
enhancements) build. I have built the install using the dsbuild 
operation and all seems to be working. I can authenticate to the system 
using the 'admin' user and the "CN=Directory Manager" identity. I have 
SSL working and now want to use our Kerberos environment to provide SSO 
to the server.

Our Kerberos environment is based on an AD KDC and is supporting other 
application successfully. We have created the 'ldap/...' service 
principal and imported it into the system keytab.

First test with ldapsearch using GSSAPI fails with permission denied 
from the GSSAPI function. So I thought I would try the mapping facility 
as documented in the administration manual and set up to map the 
Kerberos identity to the correct search DN for the AD. As we only have 
the one Domain/Forest I set up a simple map that takes any name and maps 
to this DN. I then set up a referral inside the DS to point to the AD 
controllers in the hope that this would activate the necessary logic. No 
joy.

Looking in the code for 'saslbind.c' it looks like the code only allows 
for locally registered users. If I am reading this right does this mean 
my next step is to remove the referral and add a replica for the AD into 
my DS using the procedure outlined in the Administration Guide section 
"Windows Sync". In doing this will I have then enabled GSSAPI/Kerberos 
authentication or will I still be missing something? If I do this will I 
be causing problems in the future with other parts of the AD as I want 
to get referrals when the data is not held in the DS? (Given that I will 
be syncing users (and groups?) only). I can use OU trees for this and 
tie the referrals there of course but then I will need to sync the 
entire CN=Users tree.

I understand that I will need to create a separate DIT (root) for the AD 
data to ensure that I can sync to multiple domains in the future, is 
this correct?

Any advice or even a description of the set of steps that will make this 
dance work would be much appreciated.
-- 

Howard Wilkinson

	

Phone:

	

+44(20)76907075

Coherent Technology Limited

	

Fax:

	

 

23 Northampton Square,

	

Mobile:

	

+44(7980)639379

United Kingdom, EC1V 0HL

	

Email:

	

howard at cohtech.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070420/1d0ec95c/attachment.html>