Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit :
If I leave the LDAP server listening on the TCP address of localhost (127.0.0.1) declips is cool. If I change the entry in /etc/openldap/ldap.conf from URI=ldap://127.0.0.1/ to URI=ldap://10.1.1.1/ I'm facing the same issue (gss_accept_sec_context) as on levante.
Is there somebody out there who can lead me to a solution.
It seems like a name canonicalisation error for me, as you have a multihomed setup, and result varies with the IP adress you're using.
You have to ensure the principal used in LDAP server keytab (its SPN) matches both the ones used by client when they ask a service ticket (DNS hostname for the IP adress used in their /etc/openldap/ldap.conf files), and the one used by the server itself (by default, the one returned by gethostname(), otherwise, the one specified with sasl_hostname directive in its configuration file).
You may also check in the KDC logs what are the principal requested by clients.
openldap-software@openldap.org