Just to clarify, in #4, the last sasl-regexp line should be one line - it should not be split up into two. »

While following this article (and Part One), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I've made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I've inadvertently made any mistakes in these comments, please post that as well so others won't be misled. (Continued from Part 1) Problems/Comments in Part 2: 1) I had problems putting the slapd.access line before the suffix definition in slapd.conf, so I put it after. 2) I managed to get LDAP working without the krb5-kdc.schema, though perhaps that was more of an accident. 3) The installation scripts had already created a root DN, so I only added one that looked like: dn: ou=people,dc=domain,dc=com objectclass: organizationalUnit ou: people description: Users dn: uid=ldapadm,ou=people,dc=domain,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: LDAP admin account sn: LDAP Admin uid: ldapadm uidNumber: 1002 gidNumber: 100 homeDirectory: /etc/ldap loginShell: /bin/false 4) When I tried installing this setup on a different system, the sasl and authz lines given in the howto didn't work. I'm not sure why, and I haven't debugged further, but I had to use these instead: sasl-secprops noanonymous,noplain,noactive sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com 5) I had to add apparmor profiles for slapd so it could access the files it needed. This is described in detail in https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/229252 6) The package name should be ldap-utils, not ldap_utils, in the Client setup section. 7) In Ubuntu, the configuration for libnss-ldap is actually in /etc/ldap.conf (which is NOT the same thing as /etc/ldap/ldap.conf - that's used by other client LDAP utilities, while /etc/ldap/slapd.conf is used by the slapd server) In addition to many useful sites out there is http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml »

While following this article (and Part Two), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I've made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I've inadvertently made any mistakes in these comments, please post that as well so others won't be misled. Problems/Comments in Part 1: 1) I had to run sudo dpkg-reconfigure krb5-kdc before starting up the KDC and admin server with /etc/init.d/krb5-admin-server start and /etc/init.d/krb5-kdc start. The answers to the questions in order were: Yes to Create Kerberos KDC configuration automatically, Disable Kerberos v4 compatibility mode, No to run a ticket conversion daemon, and No to purging data when krb5-kdc package is removed. See also #3. 2) There's a significant problem in the example krb5.conf posted above that took me ages to figure out. There's actually an equals sign missing after the default_realm parameter. 3) I also had to set up the database (by running kdb5_util, as well as everything in the Setting up the database section) before starting the KDC and admin server. 4) In Ubuntu, libsasl2-gssapi-mit is no longer available. It's replaced by libsasl2-modules-gssapi-mit. I executed the following: apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules 5) I was not able to login as a principal I just added, even with the PAM configuration correct (under the Testing section). I had to get LDAP up and running first. (continued in Part 2) »