SASL GSSAPI authenticated LDAP searches on Fermi's AD

This is how you configure a linux box to do SASL GSSAPI authenticated LDAP searches on Fermi's AD

For SLF

yum install openldap-clients
yum install cyrus-sasl-gssapi

edit /etc/openldap/ldap.conf and comment out the BASE and HOST lines (you may define static entries for your location if you wish).

kinit as yourself

	kinit myprinc 

This should populate the KRB5CCNAME environment variable with your ticket cache path.

use ldapsearch and profit

	example
	ldapsearch -H fermi.win.fnal.gov -b 'dc=fermi,dc=win,dc=fnal,dc=gov' 'CN=admin*'

You can also leave out the -H and -b arguments if you define them in your ldap.conf (usually at /etc/ldap/ldap.conf).

To use this stuff programatically (I used PHP), compile PHP with the --with-ldap-sasl=/usr. You need to force use of LDAP V3 in your
code and you need to use putenv() function to set the KRB5CCNAME so that GSSAPI will work.

Then you need to use the ldap_sasl_bind() function. 

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK on Apr 03, 2008.
(Address comments about page to the Computer Security Team.)