[28479] in Kerberos

home help back first fref pref prev next nref lref last post

Forcing the use of kerberos by ldap clients when connecting to an

daemon@ATHENA.MIT.EDU (drjlove@gmail.com)
Mon Sep 24 11:30:11 2007

From: drjlove@gmail.com
Date: Mon, 24 Sep 2007 08:24:41 -0700
Message-ID: <1190647481.438291.282620@n39g2000hsh.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hello all,

I have an openldap server that successfully authenticates against a
kerberos setup:

[jamie@janeiro ~]$ ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: jamie@example.com
SASL SSF: 56
SASL installing layers
dn:uid=jamie,ou=people,dc=example,dc=com
Result: Success (0)


When I do not put -Y GSSAPI in, I get:

[jamie@janeiro ~]$ ldapwhoami
ldap_sasl_interactive_bind_s: No such object (32)

Is it possible to force the client or server to use GSSAPI for
authentication, so I don't need to write it every time. In my
slapd.conf file I have:

TLSCertificateFile /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
...
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=
$1,ou=people,dc=example,dc=com

In particular this sasl-secprops is (according to the website I
pilfered that line off) in theory will force the use of GSSAPI, but in
practice it doesn't.


The reason I wish to force GSSAPI is to make a java app I need to
interoperate with use the right mechanism (i.e. GSSAPI), and hence
authenticate against kerberos via LDAP rather than authenticate
against ldap only.

Thanks for any help.
Jamie

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post