Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: MIT Kerberos with eDirectory

39 views
Skip to first unread message

David Gersic

unread,
Feb 24, 2010, 5:14:07 PM2/24/10
to
On Wed, 24 Feb 2010 17:46:02 +0000, nick at seakr wrote:

> manually create a realm element, so I'm not sure where kdb5_ldap_util is
> failing. Furthermore, there doesn't seem to be much in the way of
> debugging on this utility, which makes it very difficult to get any
> useful information. I've tried some ndstrace stuff, but I can't seem to
> find the right option in ndstrace to use to see the actual LDAP queries
> and the attempt by kdb5_ldap_util to update LDAP.

Go to your LDAP Server object in eDirectory. There's a tab for "trace
options". Turn on everything there except for "packet dump". Save the
change. Now turn on the +LDAP flag in (n)dstrace. That'll show you pretty
much everything that's going on.

If that's not sufficient, you can turn on packet dump as well.

> I'm using LDAP over
> SSL, so dumping traffic is out of the question.

Packet dump will get you everything, after the SSL layer is discarded.


> Can anyone provide any help on this? Between my frustration with Novell
> for making their LDAP implementation as proprietary as Microsoft's

You might want to take a break and a few deep breaths. *All* directory
service implementations are "proprietary", in that none of them do
everything exactly the same way. LDAP is just an access protocol, it is
*NOT* a directory service by itself.


> my inability to get any useful debugging information out of the
> kdb5_ldap_util binary, I'm going nuts...

Post a complaint to whoever wrote / maintains kdb5_ldap_util perhaps?

--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

David Gersic

unread,
Mar 3, 2010, 4:29:02 PM3/3/10
to
On Tue, 02 Mar 2010 18:46:02 +0000, nick at seakr wrote:

> I was able to get this working

Cool, thanks for the update. Now that you've figured it out, head over to
CoolSolutions (http://www.novell.com/communities/coolsolutions), write it
up as an article, and get some free stuff from Amazon.


> It should be noted that all of the LDAP functionality in the MIT
> Kerberos distribution was contributed by Novell, including the
> kdb5_ldap_util binary. This is why I posted here, because I thought
> perhaps someone with knowledge about the code and how the contribution
> was made might chime in.

Good idea, but I have no idea who worked on that stuff, nor even if
they're still with Novell. If you have a name, I can ask if somebody can
locate them, but there's no guarantee.

0 new messages