Making OpenLDAP+Kerberos Single Sign On work?
Posted by bmontgom on Sat 22 Oct 2005 at 17:32
Has anyone been able to implement a single sign on using the OpenLDAP and Kerberos packages from Debian? I've been able to get OpenLDAP and Kerberos to work independently, but I can't get them to work together.
I've been using the instructions at www.bayour.com, but they seem a little out of date.
The instructions on the Debian wiki are incomplete. Has anyone been able to get this to work?
I've got LDAP/Kerberos working on a single machine, so what I have may not work in a larger situation, but I'd be happy to give you any pointers.
[ Parent | Reply to this comment ]
neo:~# ldapsearch -Y gssapi
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)
I can't figure out what is causing this error. I do have _kerberos records in my DNS, but that doesn't seem to help.
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
"Cannot determine realm" makes it sound like you might have a broken /etc/krb5.conf on your client, or a poorly specified default LDAP HOST or SASL_REALM. can you give more details about your setup? The relevant details might include:
- the contents of /etc/krb5.conf on the client (neo?) and the ldap/krb5 server
- the contents of /etc/ldap/ldap.conf on neo
[ Parent | Reply to this comment ]
Then, make sure that name maps to a realm.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I got kinit working nicely without reverse dns, but then it died later on.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I see that you have successfuly completed a project like that. Can you help me sending me some information HOW TO install and configure this staff...?
Thank you
Renato Malvino
rmalvino@gmail.com
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]