Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MIT Kerberos V + OpenLDAP
- Kerberos bind to openldap
- Able to issue kerberos tickets to my users (with kinit exampluser)
- Able to ldapsearch -x uid=exampluser
- server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
- ldap_start_tls: Protocol error (2)
- additional info: unsupported extended operation
- dn:
- supportedSASLMechanisms: DIGEST-MD5
- supportedSASLMechanisms: EXTERNAL
- supportedSASLMechanisms: CRAM-MD5
- supportedSASLMechanisms: NTLM
- supportedSASLMechanisms: LOGIN
- supportedSASLMechanisms: PLAIN
- client% ldapsearch uid=exampleuser
- SASL/GSSAPI authentication started
- ldap_sasl_interactive_bind_s: Authentication method not supported (7)
- additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
- #
- # LDAP Defaults
- #
- # See ldap.conf(5) for details
- # This file should be world readable but not world writable.
- BASE dc=example,dc=com
- URI ldap://ldap.example.com
- SASL_MECH GSSAPI
- kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
- kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
- kadmin.local: listprincs
- admin@EXAMPLE.COM
- K/M@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/history@EXAMPLE.COM
- kadmin/kdc.example.com@EXAMPLE.COM
- user1@example.com (also in the ldap, can issue a ticket and everything)
- user2@example.com (same for him)
- ldap/ldap.example.com@EXAMPLE.COM
- # ktutil
- ktutil: read_kt /etc/ldap.keytab
- ktutil: list
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 ldap/ldap.example.com@EXAMPLE.COM
- 2 2 ldap/ldap.example.com@EXAMPLE.COM
- 3 2 ldap/ldap.example.com@EXAMPLE.COM
- 4 2 ldap/ldap.example.com@EXAMPLE.COM
- ktutil: read_kt /etc/krb5.keytab
- ktutil: list
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 ldap/ldap.example.com@EXAMPLE.COM
- 2 2 ldap/ldap.example.com@EXAMPLE.COM
- 3 2 ldap/ldap.example.com@EXAMPLE.COM
- 4 2 ldap/ldap.example.com@EXAMPLE.COM
- 5 2 kadmin/kdc.example.com@EXAMPLE.COM
- 6 2 kadmin/kdc.example.com@EXAMPLE.COM
- 7 2 kadmin/kdc.example.com@EXAMPLE.COM
- 8 2 kadmin/kdc.example.com@EXAMPLE.COM
- mech_list: external gssapi plain
- pwcheck_method: saslauthd
- [Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
- #
- # LDAP Defaults
- #
- # See ldap.conf(5) for details
- # This file should be world readable but not world writable.
- BASE dc=example,dc=com
- URI ldap://ldap.example.com
- SASL_MECH GSSAPI
- SASL_REALM EXAMPLE.COM
- SASL/GSSAPI authentication started
- SASL username: user@EXAMPLE.COM
- SASL SSF: 112
- SASL data security layer installed.
- # extended LDIF
- #
- # LDAPv3
- # base <dc=example,dc=com> (default) with scope subtree
- # filter: uid=user
- # requesting: ALL
- #
- client% ldapsearch uid=gleger
- SASL/GSSAPI authentication started
- ldap_sasl_interactive_bind_s: Local error (-2)
- additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement