On Wednesday, 30 December 2009 12:32:32 Wojtek Polcwiartek wrote:
Hello,
we use ldap as name source in our system (libnss-ldap). Until now we used anonymous bind with LDAP and it worked fine. Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent passwd <name>') does not work: no result is returned/printed. Strange is that, when we run the query in debug-mode (debug 7 in /etc/ldap.conf), you can see the correct result in the debug part (in "hexes") but at the end no result is printed . The only error message we could see is: res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>
Can you provide your /etc/ldap.conf (or, at least the relevant parts, such as host/uri, use_sasl, rootuse_sasl, krb5_ccname etc.), as well as output from a relevant klist command.
Querying LDAP with ldapsearch still works fine.
With GSSAPI? Can you provide an example (including the output)?
Do You have any idea how to get closer to the source of the problem? We use Ubuntu Karmic as client (repo package) and Solaris10 (with OpenLdap 2.4.16) as server.
I have no problems on Mandriva (e.g. 2010.0), and with sudo 1.7.x, even sudo now supports GSSAPI for sudo rules in LDAP.
Regards, Buchan