Debian – ldapsearch and kerberos authentication

debiankerberos

I can successfully connect and search to an Active Directory domain controller using ldapsearch. I am using the -x option, to specify a username/password authentication (password being specified by -W and username by -D).

I currently need to dump directory from a MIT-kerberos domain. Kerberos is the only protocol available for authentication. I can retrieve a kerberos TGT ticket with kinit. I am using these command lines:

ldapsearch  -Y SASL -b "REALM.INC" -H ldap://kerberos_IP_address
-> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
  additional info: SASL(-4): no mechanism available: No worthy mechs found

ldapsearch -o "mech=GSSAPI" ...
-> Invalid general option name: mech

How can I authenticate with kerberos using ldapsearch?

Many thanks for your help&replies

Best Answer

You may be missing the libsasl2-modules-gssapi-mit package.

Without:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found

Install:

# apt install libsasl2-modules-gssapi-mit

With:

# ldapsearch -H ldap://dc1 -Y GSSAPI -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: Administrator@AD-TEST.VX
SASL SSF: 256
SASL data security layer installed.
...

SASL is enabled by default, and will auto-detect a compatible mechanism, so specifying -Y GSSAPI isn't even necessary:

# ldapsearch -H ldap://dc1 -b 'DC=ad-test,DC=vx'
SASL/GSSAPI authentication started
SASL username: Administrator@AD-TEST.VX
SASL SSF: 256
SASL data security layer installed.
...

Best Answer

Related Solutions

Ssh – Kerberos + Ldap Setup not working with ssh

Linux – Putty Kerberos/GSSAPI authentication

Related Topic