At 09:45 AM 9/30/2005, Hudson, Michael wrote: >Has anyone successfully used ldapsearch to query >Active Directory using sasl gssapi?
As evident from content in the archives, yes. http://www.openldap.org/lists/openldap-software/200203/msg00225.html >If so, what arguments to ldapsearch are required? For GSSAPI authentication (-Y GSSAPI), the key argument is the value of -H. ldapsearch(1) will pass name of the connected service host to Cyrus SASL as determined through IP-address-to-domain-name lookup for use in SASL mechanisms. As this name is used by underlying systems to determine the service principal to authenticate, you need to ensure the lookup will result in the appropriate service name. Beyond that, various SASL security options can be adjusted through ldapsearch arguments, namely the -O option. While in your use example you provided a Bind DN name, and this is provided to the LDAP server by ldapsearch(1), it *should* have no impact on SASL/GSSAPI authentication as servers are to ignore the Bind DN during all SASL authentications (as discussed in the revised LDAP technical specification). Of course, your server might require a Bind DN, and if so, you likely should provide one. I only note this as, if this server does ignore the Bind DN as it should, you might be thinking the Bind DN as more significant than it might have. (Whether the server you are using does/doesn't require a Bind DN, and if so, what Bind DN, is a topic for discussion on a list covering that server.) Beyond that, the rest is left to Cyrus SASL, its SASL/GSSAPI mechanism implementation, and the underlying GSSAPI and Kerberos libraries, involved KDCs, and the LDAP server you are talking to. See the documentation for each of these software systems, and use lists for these systems, to address whatever questions you have in using them. Kurt
