Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.0-M24
-
None
-
None
-
Linux Centos 7 x64
ApacheDS 2.0.0-M4
openJDK
krb5-workstation
openlda-clients
-
Important
Description
Hi,
I successfully installed ApacheDS , was able to start , configure the service and set up kerberos authentication.
It work without problem from ApacheDS Studio , i can login with GSSAPI , but can't say the same from local ldap tools (openldap-clients)
I can't get a tgt from the kerberos with kinit , i've exported the ldap service principal using ktutil and saved it as /etc/krb5.keytab , configured krb5.conf , configured ldap.conf .
hostnames are configured statically through /etc/hosts , actually only one host as the server is also the client (LAN_IP example.com , ldap/example.com@EXAMPLE.COM got exported with ktutil)
[root@example ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
- rdns = false
[realms]
EXAMPLE.COM =
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
------------------------------------------------------------------------
[root@example ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 ldap/EXAMPLE.COM@EXAMPLE.COM
[root@example ~]#
--------------------------------------------------------------------------------
[root@example ~]# kinit hnelson
Password for hnelson@EXAMPLE.COM:
[root@example ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hnelson@EXAMPLE.COM
Valid starting Expires Service principal
07/31/2017 20:54:48 08/01/2017 20:54:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@example ~]#
[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 -b "dc=example,dc=com" "(uid=hnelson)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream modified)