[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ldapsearch fail after realm trust exchange from OpenLDAP to A.Don Win 2003 SP2

To: heimdal-discuss@sics.se, "Comisario, Alejandro" <acomisario@siscat.com.ar>
Subject: Re: ldapsearch fail after realm trust exchange from OpenLDAP to A.Don Win 2003 SP2
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 08 Aug 2007 11:15:54 -0700
In-Reply-To: <5341EB12706351489DEFADBFEF06CC68A2B860@mercurio.sc.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <5341EB12706351489DEFADBFEF06CC68A2B860@mercurio.sc.com>
Reply-To: heimdal-discuss@sics.se, Howard Chu <hyc@highlandsun.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a7pre) Gecko/2007072703 SeaMonkey/2.0a1pre

Comisario, Alejandro wrote:
> Hi everybody.
> I'm trying to establish a trust mechanism between openLDAP (v2.3 on Debian
> Etch Stable) and A.D ( Win.2003 SP2 ) for a referral to work.
> I'll pass some useful information to understand better the
> situation/problem.

> - OpenLDAP is working fine against heimdal via GSSAPI. My configuration is
> this (I've truncated relevant information, I think)

> doldap@root # ldapsearch -H ldap://kerberos.openldap.sc -b
> "cn=admin,dc=siscat,dc=com" -LLL
> SASL/GSSAPI authentication started
> SASL username: usuprueba@OPENLDAP.SC
> SASL SSF: 56
> SASL installing layers
> dn: cn=admin,dc=siscat,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> userPassword:: XXXXXXXXXXXXXXXXX

> The information/error I get is this one.
> (I think it's important to say that I've fixed the issue of encryption not
> supported)
> 
> SASL/GSSAPI authentication started
> SASL username: usuprueba@OPENLDAP.SC
> SASL SSF: 56
> SASL installing layers
> Operations error (1)
> Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece

OpenLDAP's command line tools only do referral chasing anonymously. AD requires 
an LDAP Bind operation to be performed for this particular request to succeed. 
You'll have to write some code for your own Rebind function to make this work.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- ldapsearch fail after realm trust exchange from OpenLDAP to A.D on Win 2003 SP2
  - From: "Comisario, Alejandro" <acomisario@siscat.com.ar>

Prev by Date: RE: Was a smartcard used to get the ticket?
Next by Date: Re: Was a smartcard used to get the ticket?
Prev by thread: ldapsearch fail after realm trust exchange from OpenLDAP to A.D on Win 2003 SP2
Next by thread: Appeal for Assistance.
Index(es):
- Date
- Thread