Fermilab Computing Division
Search

Common Windows Trojan/Application Startup Locations

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access
 
This is how you configure a linux box to do SASL GSSAPI authenticated LDAP searches on Fermi's AD

For SLF

yum install openldap-clients
yum install cyrus-sasl-gssapi

edit /etc/openldap/ldap.conf and comment out the BASE and HOST lines (you may define static entries for your location if you wish).

kinit as yourself

	kinit myprinc 

This should populate the KRB5CCNAME environment variable with your ticket cache path.

use ldapsearch and profit

	example
	ldapsearch -H fermi.win.fnal.gov -b 'dc=fermi,dc=win,dc=fnal,dc=gov' 'CN=admin*'

You can also leave out the -H and -b arguments if you define them in your ldap.conf (usually at /etc/ldap/ldap.conf).

To use this stuff programatically (I used PHP), compile PHP with the --with-ldap-sasl=/usr. You need to force use of LDAP V3 in your
code and you need to use putenv() function to set the KRB5CCNAME so that GSSAPI will work.

Then you need to use the ldap_sasl_bind() function.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK on Apr 03, 2008.
(Address comments about page to the Computer Security Team.)