[389-users] MIT Kerberos and FDS integration
Rich Megginson
rmeggins at redhat.com
Mon Jul 20 13:31:25 UTC 2009
John Robert Mendoza wrote:
> Actually i use the
>
> #/usr/lib/mozldap/ldapsearch
>
> There is no option for the -Y.
>
> I can bind using GSSAPI by this command
>
> #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=*
>
That's the same as using /usr/bin/ldapsearch with -Y GSSAPI
If you use klist, do you see your correct principal with the correct
expiration?
>
> and it outputs this error
>
> ldapsearch: started Mon Jul 20 16:33:07 2009
>
> ldap_init( localhost, 389 )
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Permission denied)
>
Check the directory server access and error logs for more information.
You might need to configure the SASL mapping. In order to do a
SASL/GSSAPI BIND to the directory server, you must have a real entry in
the directory server that corresponds to your Kerberos principal. That
is, you must configure the directory server to map richm at EXAMPLE.COM
(the Kerberos principal) to uid=richm,ou=people,dc=example,dc=com (the
LDAP entry). This is done with SASL mapping.
http://directory.fedoraproject.org/wiki/Howto:Kerberos
>
> Thanks for your reply.
>
>
>
>
> John Robert Mendoza
>
> --- On *Mon, 7/20/09, Andrey Ivanov
> /<andrey.ivanov at polytechnique.fr>/* wrote:
>
>
> From: Andrey Ivanov <andrey.ivanov at polytechnique.fr>
> Subject: Re: [389-users] MIT Kerberos and FDS integration
> To: "General discussion list for the 389 Directory server
> project." <fedora-directory-users at redhat.com>
> Date: Monday, 20 July, 2009, 2:06 PM
>
> Hi,
>
>
> kinit myusername
> ldapsearch -Y GSSAPI -h ldap.example.com -b "<your suffix>"
> objectClass=*
> SASL/GSSAPI authentication started
> SASL username: <myusername>@KERBEROS.REALM
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <your suffix> with scope subtree
> # filter: objectClass=*
> # requesting: ALL
> #
> ...
>
>
>
> 2009/7/20 John Robert Mendoza <jrobertm8 at yahoo.com
> </mc/compose?to=jrobertm8 at yahoo.com>>:
> > Hi to all!
> >
> > I am currently setting up an integration with the FDS and Kerberos.
> >
> > I have successfully setup both independently and verified them
> to be working
> > independently.
> >
> > How do I know that I have successfully binded FDS and kerberos.
> > How can i verify it.
> >
> > I am using Fedora 1.2.0 and Kerberos 1.6.3...
> >
> >
> > John Robert Mendoza
> > ________________________________
> > What can we do to improve Metro Manila traffic?
> > Find the answers on Yahoo! Answers
> > --
> > 389 users mailing list
> > 389-users at redhat.com </mc/compose?to=389-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
>
> --
> 389 users mailing list
> 389-users at redhat.com </mc/compose?to=389-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
> Importing contacts has never been easier..
> <http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph>
>
> Bring your friends over to Yahoo! Mail today!
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090720/4e75e97a/attachment.bin>
More information about the 389-users
mailing list