LDAP and MS Active Directory

LDAP and MS Active Directory

Post by Eric P. McC » Sat, 06 Oct 2001 04:23:43



Hi.  I'm trying to get Linux working with a Windows 2000 Server; in
particular, I'm trying to get it working with Active Directory.

I _basically_ have it working right now.  I've set up Heimdal Kerberos
5 so that I can use kinit to get a TGT from the Win2K KDC.  I've set
up the OpenLDAP tools so they know to look at the 2K machine.  I can
do, e.g., `ldapsearch -x' and get (correct) information.

The problem I'm having now is that I can't authenticate to AD, and as
a result it won't feed me complete information.  I can change the ACLs
on the 2K box so that "everyone" has access and then everything works
as I want.  But that obviously isn't a satisfactory long-term
solution.

So basically what I need is a step-by-step, cookbook-style explanation
of how the hell to get Kerberos working with the OpenLDAP tools.
There is a Kerberos option listed in the man page, but that's only
Kerberos v4 (Win2K requires v5).  There is a whole bunch of
gobbledygook about SASL which makes no sense to me, but whenever I try
to use it, it says:

  SASL/GSSAPI authentication started
  ldap_sasl_interactive_bind_s: Local error

The appropriate plugins for SASL are installed (i.e., the Heimdal
Kerberos one).  But I can't get the sample-server and -client programs
to work, either:

  Choosing best mechanism from: GSSAPI
  sample-client: Starting SASL negotiation: generic failure

Note that these are quite possibly the two worst error messages I have
ever seen.

I'm beginning to suspect that part of my problem here is that I have
no idea what SASL actually is.

I just want to use Kerberos to authenticate to an LDAP server.
Kerberos works on its own; LDAP works on its own; but they don't work
together.  Is there anything else I can try?  FWIW, I'm running
Debian; it's possible that I need some support that's not compiled
in.  (But I have no idea what support I would need, so please tell
me.)

--

"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries."  - Rich "Lowtax" Kyanka

 
 
 

LDAP and MS Active Directory

Post by David Macka » Sat, 06 Oct 2001 10:59:43



> Hi.  I'm trying to get Linux working with a Windows 2000 Server; in
> particular, I'm trying to get it working with Active Directory.

> I _basically_ have it working right now.  I've set up Heimdal Kerberos
> 5 so that I can use kinit to get a TGT from the Win2K KDC.  I've set
> up the OpenLDAP tools so they know to look at the 2K machine.  I can
> do, e.g., `ldapsearch -x' and get (correct) information.

> The problem I'm having now is that I can't authenticate to AD, and as
> a result it won't feed me complete information.  I can change the ACLs
> on the 2K box so that "everyone" has access and then everything works
> as I want.  But that obviously isn't a satisfactory long-term
> solution.

I'm afraid that you're experiencing the Microsoft approach to standards.
  They're not REALLY supposed to allow interoperation with other
systems.  Take a look at
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#ntbroken

Dave

 
 
 

LDAP and MS Active Directory

Post by Eric P. McC » Sat, 06 Oct 2001 12:04:23



> > Hi.  I'm trying to get Linux working with a Windows 2000 Server; in
> > particular, I'm trying to get it working with Active Directory.

[...]

Quote:> I'm afraid that you're experiencing the Microsoft approach to standards.
>   They're not REALLY supposed to allow interoperation with other
> systems.  Take a look at
> http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#ntbroken

I suppose I was unwise for using the word "Windows" in a Linux
newsgroup.

Windows 2000 LDAP and Kerberos _are_ interoperable, in at least a
basic sense, with Unix clients.  It's demonstrably true; I have both
working at my local setup.  My only problem is getting LDAP and
Kerberos to work at the same time.  The link you provide doesn't have
any information on that; it deals exclusively with Kerberos.

The link to which you pointed me referenced an article from 1997,
several years before 2K was released.  Perhaps it uses incomplete or
outdated information; perhaps not.

Sorry if I seem angry here (I'm not).  But in searching for an answer
to this problem, I had to wade through probably 1000 posts of useless
garbage from comp.os.linux.advocacy.  So I'm not very patient with
articles that seem to be turning the thread in a similar direction.

--

"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries."  - Rich "Lowtax" Kyanka