[TCLUG] kerberos + ldap is killing me

[Ben Lutgens]

In the process of getting SASL enabled, kerberos aware openldap, I've
come to the conclusion that the openldap server that ships with RH-7.2
isn't kerberos aware due to the following error:

$ ldapsearch -H ldaps://tyr.sistina.com  -I -b "" -s base -LLL
supportedSASLMechanisms

ldap_sasl_interactive_bind_s: Unknown authentication method

But upon further inspection of the openldap-2.0.11 spec file from the
source rpm, i see that it is infact enabled.

So here's my slapd.conf

# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

# Schema and objectClass definitions
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/corba.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/krb5-kdc.schema
include                 /etc/openldap/schema/openldap.schema
include                
/etc/openldap/schema/redhat/kerberosobject.schema
include                
/etc/openldap/schema/redhat/rfc822-MailMember.schema

# Some are extra schema's that I found on the 'Net...
# Want them? They can be found at
http://www.bayour.com/openldap/schemas/

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck             on


# Read slapd.conf(5) for possible values
loglevel                2048  # Only entry parsing errors

sasl-realm              SISTINA.COM
sasl-host               kdc.sistina.com
#sasl-secprops          none
TLSCertificateFile      /etc/openldap/ssl/server.pem
TLSCertificateKeyFile   /etc/openldap/ssl/server.pem
TLSCACertificateFile    /etc/openldap/ssl/server.pem
#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database                ldbm

# The base of your directory
suffix                  "dc=sistina,dc=com"

# Where the database file are physically stored
directory               "/var/lib/ldap"

# Save the time that the entry gets modified
lastmod                 on

# Indexes
index                   default pres,eq
index                   objectClass,uid,uidnumber,gidnumber,cn
index                   mail eq

# Include the access lists
include                 /etc/openldap/slapd.access

Yet for some reason querying the server about supportedSASLMechanisms
doesn't yeild me anything. I've checked the speck file for all the
required options. I'm at a bit of a loss.

Oh and doing a simple, plain bind on :389 works fine. I'm even getting
connected to the SSL port. 

Any ideas would rock.

-- 
Ben Lutgens		http://people.sistina.com/~blutgens/	
Sistina Software Inc.

pub  1024D/9A0DDC59 2001-12-12 Ben Lutgens <blutgens at sistina.com>
     Key fingerprint = 8FCD A1EE CEA7 DEE1 9361  F32C 0A90 30D1 9A0D
DC59
sub  1024g/1FC75C99 2001-12-12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020118/415e9a6e/attachment.pgp