This site is now 100% read-only, and retired.

Making OpenLDAP+Kerberos Single Sign On work?

Posted by bmontgom on Sat 22 Oct 2005 at 17:32

Tags:

Has anyone been able to implement a single sign on using the OpenLDAP and Kerberos packages from Debian? I've been able to get OpenLDAP and Kerberos to work independently, but I can't get them to work together.

I've been using the instructions at www.bayour.com, but they seem a little out of date.

The instructions on the Debian wiki are incomplete. Has anyone been able to get this to work?

 

 


Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by hexmode (24.152.xx.xx) on Sat 22 Oct 2005 at 20:44
Do you have LDAP/Kerberos working on the same machine? That is, can you kinit on the box and then do ldapsearch or something that requires you be authenticated as yourself?

I've got LDAP/Kerberos working on a single machine, so what I have may not work in a larger situation, but I'd be happy to give you any pointers.

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by Anonymous (68.15.xx.xx) on Sun 23 Oct 2005 at 00:43
I have LDAP and Kerberos running on the same box as well. I think I have everything set up correctly, but when I try to run ldapsearch, I get the following:

neo:~# ldapsearch -Y gssapi
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)


I can't figure out what is causing this error. I do have _kerberos records in my DNS, but that doesn't seem to help.

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by dkg (216.254.xx.xx) on Sun 23 Oct 2005 at 08:22
[ View Weblogs ]
I've gotten kerberos + openldap working on a shared domain across multiple machines for a pair of lightweight domains, but have yet to really do heavy load testing on either of them.

"Cannot determine realm" makes it sound like you might have a broken /etc/krb5.conf on your client, or a poorly specified default LDAP HOST or SASL_REALM. can you give more details about your setup? The relevant details might include:

  • the contents of /etc/krb5.conf on the client (neo?) and the ldap/krb5 server
  • the contents of /etc/ldap/ldap.conf on neo

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by hexmode (24.152.xx.xx) on Sun 23 Oct 2005 at 22:34
"Cannot determine realm for numeric host address" seems to indicate a problem in your kerberos setup. Just a guess, but make sure your ip can be resolved to a name, either through DNS or /etc/hosts.

Then, make sure that name maps to a realm.

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by Anonymous (212.249.xx.xx) on Mon 24 Oct 2005 at 11:06
Did you write the REALM name to Hupercase in the kerberos config ?

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by Anonymous (193.2.xx.xx) on Tue 25 Oct 2005 at 07:26
As far as I know, you need kerberos, LDAP, NTP and DNS working to set it up, that being host name lookups and reverse lookups. Do you have this all set up and working?

I got kinit working nicely without reverse dns, but then it died later on.

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by bmontgom (68.15.xx.xx) on Thu 3 Nov 2005 at 18:03
Turns out the problem had to do with my reverse DNS setup. I thought I had it configured correctly, but it turns out that there was a subtle error in my bind configuration that was making reverse lookups fail. I fixed that and now everything works correctly.

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by rmalvino (200.161.xx.xx) on Wed 15 Aug 2007 at 02:52
Hi, I'm starting a project where I will buld a Single Sign On for machines Windows and Linux.

I see that you have successfuly completed a project like that. Can you help me sending me some information HOW TO install and configure this staff...?

Thank you

Renato Malvino
rmalvino@gmail.com

[ Parent ]

Re: Making OpenLDAP+Kerberos Single Sign On work?
Posted by staarit (64.173.xx.xx) on Tue 21 Aug 2007 at 21:33
has anyone had any luck configuring this. im trying to get a debian be a memeber of my windows 2003 forest and have users authenticate from debian to windows with no luck any help is appreciated

[ Parent ]