Hi Clément,

yep, I know that and it works. But the problem is that this is the only client where I get this behaviour with ldapsearch and I'd like to uderstand why.

The real problem I have behind, is that I saw that to have user authentication over ldap working, I have DESACTIVATE TLS for ldap queries : even
for a very internal machine, I really don't want to leave the configuration like that.

Here is what makes it work :

nsswitch.conf :
passwd: files ldap

/etc/ldap.conf
...
#ssl start_tls
#tls_cacertdir /etc/openldap/cacerts
...

I can't leave things like this.

---

Olivier

2015-10-22 18:09 GMT+02:00 Clément OUDOT <clement.oudot@savoirfairelinux.com>:

Le 22/10/2015 17:59, Olivier a écrit :

Hello everyone,

authentication over ldap doesn't work on one of my linux box. Trying to query the ldap server from this machine with ldapsearch, I get this :

$ ldapsearch -ZZZ -h ldap1.example:389 -D uid=olivier,dc=example,dc=fr -b dc=example,dc=fr -W
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)

Do you know why ldapsearch tries to authenticate using GSSAPI ?

I don'use such a mechanism (nor kerberos) and I don't remember that I configured any such a thing.

Any idea to desactivate the attempt to use GSSAPI to authenticate ?

(note: the ldap client is a linux redhat5)

Hi Olivier,

use -x for simple authentication.

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux