On 05/07/11 17:52 +0200, Fabien COMBERNOUS wrote:
Hi There,
I have an openldap master (hosted by server) and an openldap replica (hosted by replica). Authentication use SASL/GSSAPI with kerberos.
On the master i get the following output : server:~ admin$ kinit root Please enter the password for root@SERVER.LAN: server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)
What does your /etc/ldap.conf and ~/.ldaprc look like?
You might try adding a '-d -1' to your ldapsearch command for additional debugging information.
What does you credentials cache look like after running the ldapsearch? Did you receive an ldap service ticket for the replica server? Are you sure you're referencing the replica by name, and not by IP address in your ldap.conf?
Do you see any additional errors in your local auth-facility syslog file? Do you see anything relevant in the syslog of your Kerberos server?
On the replica all looks fine : replica:~ admin$ kinit root Please enter the password for root@SERVER.LAN: server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan SASL/GSSAPI authentication started SASL username: root@SERVER.LAN SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=mounts,dc=server,dc=lan> with scope subtree # filter: (objectclass=*) # requesting: ALL # etc ...
I saw some thread on mailing list that say to take care of owner, groups and permissions of files krb5.keytab and database. All looks good in this side.
Any other areas to check ?