[36759] in Kerberos
Re: LDAP searches for Kerberos entries
daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Feb 4 21:36:17 2015
MIME-Version: 1.0
In-Reply-To: <CAOdMLc3iyX+0sgbWoK3cB=H85n8q498T=OzbnkCoE9X8j+hjbA@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 4 Feb 2015 19:35:45 -0700
Message-ID: <CALNT6MWbC9ViTFcDwknEpcOrf8zV0bT2AX6ehaaGwgjLs3b=Kg@mail.gmail.com>
To: Chris Hecker <checker@d6.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
ldapsearch -x -H [ ldap://host.fqdn.name:389 | ldaps://host.fqdn.name:636 ]
-D "bind account from your config" -w [that account's password] -b [search
base like ou=People,dc=example,dc=com from your conf]
"(&(objectclass=person)(uid=[your username]))
You can add -LLL after the -x to enable console debugging output to help
fine tune.
Review your configuration for ldap target information per discussion at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html
The dump will be the full entry, including objectClasses which are the
definition of what attributes are available to an entry and their search
and indexing syntax. Your this will frame what you need to know as far as
coding over the target ldap entry... zytrax.org having one of the better
tutorials I've found for ldap in general.
On Wed, Feb 4, 2015 at 1:17 PM, Chris Hecker <checker@d6.com> wrote:
> I use LDAP to store additional stuff about users, so the krb stuff is a
> subtype (can't remember what the real term is) of my main record type. I
> rarely search on the krb fields.
>
> Chris
> On Feb 4, 2015 12:09 PM, "Paul B. Henson" <henson@acm.org> wrote:
>
> > > From: Michael Ströder
> > > Sent: Wednesday, February 04, 2015 3:25 AM
> > >
> > > Maybe some of you are using MIT Kerberos with LDAP backend.
> > >
> > > For creating a decent web2ldap search form template for the Kerberos
> > schema
> > > I'd like to know which kind of searches you usually do when looking
> into
> > your
> > > backend via LDAP.
> >
> > We have been using the LDAP backend for kerberos for a few years now,
> but I
> > must confess I've never really considered accessing LDAP directly, it's
> > always been just an opaque backend storage engine for kerberos itself...
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
