Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
Rich Megginson wrote:
In general, and by default, you use the kinit command to get
your TGT - /usr/bin/kinit or /usr/kerberos/bin/kinit - some
operating systems have a GUI for this, but the command line
works like this:
kinit [EMAIL PROTECTED] e.g. kinit [EMAIL PROTECTED] kinit will
prompt you for your kerberos password, acquire the TGT, and
cache it. This of course assumes your kerberos configuration
is set up correctly (e.g. /etc/krb5.conf) - by default, this
will create a credentials cache (cc or ccache) under /tmp
like this: /tmp/krb5cc_UID where UID is your numeric user id.
Use the klist command to see the status of your TGT
When you use something like ldapsearch -Y GSSAPI, the
kerberos implementation will see if you have a cc, and by
default it will look in /tmp/krb5cc_UID to get them, and use
them to authenticate. After you successfully authenticate,
you can use klist to see your ldap ticket (which will also be
cached in the same ccache). The ldap service principal will
usually be named ldap/[EMAIL PROTECTED]
You can specify a different krb5.conf to use with the env. var.
KRB5_CONFIG e.g.
KRB5_CONFIG=/tmp/mykrb5.conf kinit ....
You can specify a different ccache to use with KRB5CCNAME e.g.
KRB5CCNAME=/tmp/myccache kinit ....
KRB5CCNAME=/tmp/myccache ldapsearch -Y GSSAPI ....
Thank you for the detailed explanation, Rich.
From your description, it sounds that LDAP client such as ldapsearch can pick
up the Kerberos TGT automatically, right? If the answer is yes, then I would
not have to worry about how to fetch the ticket from Kerberos authentication.
Yes.
Another question is, to get a ticket to be used later by LDAP client, must the kinit
command run with "-f" option?
No.
It is a flag to request a "forwardable" ticket. I am not sure whether this will
make a difference and necessary.
You'll have to investigate more about forwarding. But I suggest don't
use forwarding unless you find out you need it.
I'm not sure what you mean by "I can't find a working
Kerberos utility that works for Linux" - every modern linux
distribution has all of the pieces you need - kerberos,
gssapi, sasl. The mozldap provided by RHEL and Fedora have
all of these - they should just work.
What version of RedHat Linux are you using?
Here is my finding of kinit and OS version:
==============================================
[EMAIL PROTECTED](pts/17):/[8]> whereis kinit
kinit:
[EMAIL PROTECTED](pts/17):/[9]> which kinit
kinit: Command not found.
[EMAIL PROTECTED](pts/17):/[10]> uname -a
Linux gso-linuxcom-01 2.4.21-52.ELsmp #1 SMP Tue Sep 25 15:13:04 EDT 2007 i686
i686 i386 GNU/Linux
==============================================
It seems kinit does exist .
In EL4 and EL5 /usr/kerberos/bin/kinit is provided by the
krb5-workstation package. You appear to be running EL3 or older. Try
up2date krb5-workstation
or
yum install krb5-workstation
mozldap is not provided with EL4 or older, so if you want to use it,
you'll have to compile it.
On the other hand, ldapsearch is available:
==============================================
[EMAIL PROTECTED](pts/17):/[11]> whereis ldapsearch
ldapsearch: /usr/bin/ldapsearch /usr/share/man/man1/ldapsearch.1.gz
[EMAIL PROTECTED](pts/17):/[12]> which ldapsearch
/usr/bin/ldapsearch
==============================================
This is the openldap ldapsearch, which should also work with SASL/GSSAPI
auth.
So I am stuck here.
Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
