> -----Original Message----- > Rich Megginson wrote: > > In general, and by default, you use the kinit command to get > your TGT - /usr/bin/kinit or /usr/kerberos/bin/kinit - some > operating systems have a GUI for this, but the command line > works like this: > kinit [EMAIL PROTECTED] e.g. kinit [EMAIL PROTECTED] kinit will > prompt you for your kerberos password, acquire the TGT, and > cache it. This of course assumes your kerberos configuration > is set up correctly (e.g. /etc/krb5.conf) - by default, this > will create a credentials cache (cc or ccache) under /tmp > like this: /tmp/krb5cc_UID where UID is your numeric user id. > > Use the klist command to see the status of your TGT > > When you use something like ldapsearch -Y GSSAPI, the > kerberos implementation will see if you have a cc, and by > default it will look in /tmp/krb5cc_UID to get them, and use > them to authenticate. After you successfully authenticate, > you can use klist to see your ldap ticket (which will also be > cached in the same ccache). The ldap service principal will > usually be named ldap/[EMAIL PROTECTED] > > You can specify a different krb5.conf to use with the env. var. > KRB5_CONFIG e.g. > KRB5_CONFIG=/tmp/mykrb5.conf kinit .... > You can specify a different ccache to use with KRB5CCNAME e.g. > KRB5CCNAME=/tmp/myccache kinit .... > KRB5CCNAME=/tmp/myccache ldapsearch -Y GSSAPI ....
Thank you for the detailed explanation, Rich. >From your description, it sounds that LDAP client such as ldapsearch can pick >up the Kerberos TGT automatically, right? If the answer is yes, then I would >not have to worry about how to fetch the ticket from Kerberos authentication. Another question is, to get a ticket to be used later by LDAP client, must the kinit command run with "-f" option? It is a flag to request a "forwardable" ticket. I am not sure whether this will make a difference and necessary. > I'm not sure what you mean by "I can't find a working > Kerberos utility that works for Linux" - every modern linux > distribution has all of the pieces you need - kerberos, > gssapi, sasl. The mozldap provided by RHEL and Fedora have > all of these - they should just work. > > What version of RedHat Linux are you using? Here is my finding of kinit and OS version: ============================================== [EMAIL PROTECTED](pts/17):/[8]> whereis kinit kinit: [EMAIL PROTECTED](pts/17):/[9]> which kinit kinit: Command not found. [EMAIL PROTECTED](pts/17):/[10]> uname -a Linux gso-linuxcom-01 2.4.21-52.ELsmp #1 SMP Tue Sep 25 15:13:04 EDT 2007 i686 i686 i386 GNU/Linux ============================================== It seems kinit does exist . On the other hand, ldapsearch is available: ============================================== [EMAIL PROTECTED](pts/17):/[11]> whereis ldapsearch ldapsearch: /usr/bin/ldapsearch /usr/share/man/man1/ldapsearch.1.gz [EMAIL PROTECTED](pts/17):/[12]> which ldapsearch /usr/bin/ldapsearch ============================================== So I am stuck here. Thanks, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
