[Fedora-directory-users] SASL-GSSAPI and KRB5
David Boreham
david_list at boreham.org
Mon Nov 28 03:31:41 UTC 2005
Barry R Ribbeck wrote:
> I am trying to use SASL-GSSAPI to leverage our Kerberos V
> authentication REALM with Fedora Directory server. When I search
> anonymously for supported SASL mechanisms, I get the following
> response. Seeing GSSAPI is comforting, but I am sure that is not the
> whole story. I am running the directory on RHL E3 with SASL2. What I
> am looking for are some docs for the entire process. Turbo
> Fredriksson has some excellent docs on Open LDAP, but they don't seem
> to map well to the Fedora Directory. Any suggestion would be greatly
> apprectiated and I would love to document the process for others.
There isn't a whole lot to document here, since the server is punting
the payload to GSSAPI,
much the same as OL does. The differences are in user identity mapping,
but it would appear
that you haven't got that far yet. The initial handshake isn't completing.
> When I attempt to bind to the directory and search for the same
> information with the command line below.
>
> ldapsearch -Y GSSAPI -X u:<valid uid> -b "" -s base -LLL -H
> ldaps://FQDN supportedSASLMechanism
Did you really mean to initiate a SASL/GSSAPI bind over SSL ?
I'm not sure that will work. It might, but it may not be supported.
I know for sure that encrypted gssapi will _not_ work. It uses the
same layered I/O hooks that SSL does, and you can't have both
active at the same time (nor would you want to AFAIK).
Try the non-ssl port and see what happens.
More information about the Fedora-directory-users
mailing list