Fedora directory users - Jul 2009 - [389-users] MIT Kerberos and FDS integration

Hi to all!

I am currently setting up an integration with the FDS and Kerberos.

I have successfully setup both independently and verified them to be working
independently.

How do I know that I have successfully binded FDS and kerberos. 
How can i verify it.

I am using Fedora 1.2.0 and Kerberos 1.6.3...


John Robert Mendoza


      Interested in growing your business? Find out how with Yahoo! Search
Marketing! Check it out at
http://searchmarketing.yahoo.com/en_SG/arp/internetmarketing.php?o=SG0147

Hi,


kinit myusername
ldapsearch -Y GSSAPI -h ldap.example.com -b "<your suffix>"
objectClass=*
SASL/GSSAPI authentication started
SASL username: <myusername>@KERBEROS.REALM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <your suffix> with scope subtree
# filter:  objectClass=*
# requesting: ALL
#
...



2009/7/20 John Robert Mendoza
<jrobertm8@yahoo.com>:
> Hi to all!
>
> I am currently setting up an integration with the FDS and Kerberos.
>
> I have successfully setup both independently and verified them to be
working
> independently.
>
> How do I know that I have successfully binded FDS and kerberos.
> How can i verify it.
>
> I am using Fedora 1.2.0 and Kerberos 1.6.3...
>
>
> John Robert Mendoza
> ________________________________
> What can we do to improve Metro Manila traffic?
> Find the answers on Yahoo! Answers
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Actually i use the

#/usr/lib/mozldap/ldapsearch

There is no option for the -Y.

I can bind using GSSAPI by this command

#/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix"
objectclass=*

and it outputs this error

ldapsearch: started Mon Jul 20 16:33:07 2009

ldap_init( localhost, 389 )
Bind Error: Invalid credentials
Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Permission
denied)

Thanks for your reply.




John Robert Mendoza

--- On Mon, 7/20/09, Andrey Ivanov <andrey.ivanov@polytechnique.fr> wrote:

From: Andrey Ivanov <andrey.ivanov@polytechnique.fr>
Subject: Re: [389-users] MIT Kerberos and FDS integration
To: "General discussion list for the 389 Directory server project."
<fedora-directory-users@redhat.com>
Date: Monday, 20 July, 2009, 2:06 PM

Hi,


kinit myusername
ldapsearch -Y GSSAPI -h ldap.example.com -b "<your suffix>"
objectClass=*
SASL/GSSAPI authentication started
SASL username: <myusername>@KERBEROS.REALM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <your suffix> with scope subtree
# filter:  objectClass=*
# requesting: ALL
#
...



2009/7/20 John Robert Mendoza
<jrobertm8@yahoo.com>:
> Hi to all!
>
> I am currently setting up an integration with the FDS and Kerberos.
>
> I have successfully setup both independently and verified them to be
working
> independently.
>
> How do I know that I have successfully binded FDS and kerberos.
> How can i verify it.
>
> I am using Fedora 1.2.0 and Kerberos 1.6.3...
>
>
> John Robert Mendoza
> ________________________________
> What can we do to improve Metro Manila traffic?
> Find the answers on Yahoo! Answers
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



      Surf faster. Internet Explorer 8 optmized for Yahoo! auto launches 2 of
your favorite pages everytime you open your browser. Get IE8 here!
http://downloads.yahoo.com/sg/internetexplorer/

John Robert Mendoza wrote:
> Actually i use the
>
> #/usr/lib/mozldap/ldapsearch
>
> There is no option for the -Y.
>
> I can bind using GSSAPI by this command
>
> #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my
suffix" objectclass=*
>
That''s the same as using /usr/bin/ldapsearch with -Y GSSAPI

If you use klist, do you see your correct principal with the correct 
expiration?
>
> and it outputs this error
>
> ldapsearch: started Mon Jul 20 16:33:07 2009
>
> ldap_init( localhost, 389 )
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information 
> (Permission denied)
>
Check the directory server access and error logs for more information.

You might need to configure the SASL mapping.  In order to do a 
SASL/GSSAPI BIND to the directory server, you must have a real entry in 
the directory server that corresponds to your Kerberos principal.  That 
is, you must configure the directory server to map richm@EXAMPLE.COM 
(the Kerberos principal) to uid=richm,ou=people,dc=example,dc=com (the 
LDAP entry).  This is done with SASL mapping.
http://directory.fedoraproject.org/wiki/Howto:Kerberos
>
> Thanks for your reply.
>
>
>
>
> John Robert Mendoza
>
> --- On *Mon, 7/20/09, Andrey Ivanov 
> /<andrey.ivanov@polytechnique.fr>/* wrote:
>
>
>     From: Andrey Ivanov <andrey.ivanov@polytechnique.fr>
>     Subject: Re: [389-users] MIT Kerberos and FDS integration
>     To: "General discussion list for the 389 Directory server
>     project." <fedora-directory-users@redhat.com>
>     Date: Monday, 20 July, 2009, 2:06 PM
>
>     Hi,
>
>
>     kinit myusername
>     ldapsearch -Y GSSAPI -h ldap.example.com -b "<your
suffix>"
>     objectClass=*
>     SASL/GSSAPI authentication started
>     SASL username: <myusername>@KERBEROS.REALM
>     SASL SSF: 56
>     SASL installing layers
>     # extended LDIF
>     #
>     # LDAPv3
>     # base <your suffix> with scope subtree
>     # filter:  objectClass=*
>     # requesting: ALL
>     #
>     ...
>
>
>
>     2009/7/20 John Robert Mendoza <jrobertm8@yahoo.com
>     </mc/compose?to=jrobertm8@yahoo.com>>:
>     > Hi to all!
>     >
>     > I am currently setting up an integration with the FDS and
Kerberos.
>     >
>     > I have successfully setup both independently and verified them
>     to be working
>     > independently.
>     >
>     > How do I know that I have successfully binded FDS and kerberos.
>     > How can i verify it.
>     >
>     > I am using Fedora 1.2.0 and Kerberos 1.6.3...
>     >
>     >
>     > John Robert Mendoza
>     > ________________________________
>     > What can we do to improve Metro Manila traffic?
>     > Find the answers on Yahoo! Answers
>     > --
>     > 389 users mailing list
>     > 389-users@redhat.com </mc/compose?to=389-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>     >
>
>     --
>     389 users mailing list
>     389-users@redhat.com </mc/compose?to=389-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
> Importing contacts has never been easier.. 
>
<http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph>
>
> Bring your friends over to Yahoo! Mail today!
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

John Robert Mendoza wrote:
> Actually i use the
> 
> #/usr/lib/mozldap/ldapsearch
> 
> There is no option for the -Y.
> 
> I can bind using GSSAPI by this command
> 
> #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my
suffix" objectclass=*
> 
> and it outputs this error
> 
> ldapsearch: started Mon Jul 20 16:33:07 2009
> 
> ldap_init( localhost, 389 )
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information 
> (Permission denied)
> 
Check the permission and ownership of the DS keytab.

rob

Thanks for the reply Rob.

I did manage to solve the error by changing the permissions on the ds.keytab
file.

I can finally do ldapsearch with gssapi.  BTW, I was just wondering, would there
be any way i can make ldap as the database for the kerberos principals.

Isn''t it that when get a ticket from kerberos it supposed to look into
ldap for its principals?


Thanks,
John Robert Mendoza

--- On Mon, 7/20/09, Rob Crittenden <rcritten@redhat.com> wrote:

From: Rob Crittenden <rcritten@redhat.com>
Subject: Re: [389-users] MIT Kerberos and FDS integration
To: "General discussion list for the 389 Directory server project."
<fedora-directory-users@redhat.com>
Date: Monday, 20 July, 2009, 9:38 PM

John Robert Mendoza wrote:
> Actually i use the
> 
> #/usr/lib/mozldap/ldapsearch
> 
> There is no option for the -Y.
> 
> I can bind using GSSAPI by this command
> 
> #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my
suffix" objectclass=*
> 
> and it outputs this error
> 
> ldapsearch: started Mon Jul 20 16:33:07 2009
> 
> ldap_init( localhost, 389 )
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Permission
denied)
> 
Check the permission and ownership of the DS keytab.

rob


-----Inline Attachment Follows-----

--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



      Design your own exclusive Pingbox today! It''s easy to create your
personal chat space on your blogs. http://ph.messenger.yahoo.com/pingbox

John Robert Mendoza wrote:
> Thanks for the reply Rob.
> 
> I did manage to solve the error by changing the permissions on the 
> ds.keytab file.
> 
> I can finally do ldapsearch with gssapi.  BTW, I was just wondering, 
> would there be any way i can make ldap as the database for the kerberos 
> principals.
> 
> Isn''t it that when get a ticket from kerberos it supposed to look
into
> ldap for its principals?
Yes, MIT kerberos has an LDAP backend that you can use. You might want 
to look into the IPA project at http://www.freeipa.org/ This is exactly 
what it does (among other things). It might give you some pointers how 
to configure things at a minimum.

rob

Thanks Rob.

I have looked into the Free IPA project and somehow I just want to setup
Kerberos 1.6 with its principal database in FDS 1.2.0.

Isnt it that when I add an entry to the FDS and try to kinit with the name of
the entry i just added, is kerberos supposed to give me a ticket?



John Robert Mendoza

--- On Tue, 7/21/09, Rob Crittenden <rcritten@redhat.com> wrote:

From: Rob Crittenden <rcritten@redhat.com>
Subject: Re: [389-users] MIT Kerberos and FDS integration
To: "General discussion list for the 389 Directory server project."
<fedora-directory-users@redhat.com>
Date: Tuesday, 21 July, 2009, 10:33 AM

John Robert Mendoza wrote:
> Thanks for the reply Rob.
> 
> I did manage to solve the error by changing the permissions on the
ds.keytab file.
> 
> I can finally do ldapsearch with gssapi.  BTW, I was just wondering, would
there be any way i can make ldap as the database for the kerberos principals.
> 
> Isn''t it that when get a ticket from kerberos it supposed to look
into ldap for its principals?
Yes, MIT kerberos has an LDAP backend that you can use. You might want to look
into the IPA project at http://www.freeipa.org/ This is exactly what it does
(among other things). It might give you some pointers how to configure things at
a minimum.

rob


-----Inline Attachment Follows-----

--
389 users mailing list
389-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



      Connect instantly with more friends on your blog and personal website?
Create your latest Pingbox today! http://ph.messenger.yahoo.com/pingbox