Hi all,
Now that I'm satisfied with my OpenLDAP/Kerberos server configuration, I'm attempting to devise a suitable (Debian lenny) client setup for it.
Although I hear that it may not be the best approach, I'm currently pursuing a client configuration that includes kstart, libnss-ldap, nscd and libpam-ldap. At the moment I'm happy with all of it except libnss-ldap.
Kstart has no problem obtaining an initial Kerberos ticket, but I can't get libnss-ldap to use it to access the DIT. So far my libnss-ldap.conf looks like:
base dc=example,dc=com uri ldap://ldapks1.example.com/ ldap_version 3 rootuse_sasl yes krb5_ccname FILE:/tmp/krb5cc_0
Any idea what I might be missing?
Thanks,
Jaap
On Monday, 25 January 2010 17:46:59 Jaap Winius wrote:
Hi all,
I don't see a reply to this, did you resolve it?
Now that I'm satisfied with my OpenLDAP/Kerberos server configuration, I'm attempting to devise a suitable (Debian lenny) client setup for it.
Although I hear that it may not be the best approach, I'm currently pursuing a client configuration that includes kstart, libnss-ldap, nscd and libpam-ldap. At the moment I'm happy with all of it except libnss-ldap.
Kstart has no problem obtaining an initial Kerberos ticket, but I can't get libnss-ldap to use it to access the DIT. So far my libnss-ldap.conf looks like:
base dc=example,dc=com uri ldap://ldapks1.example.com/ ldap_version 3 rootuse_sasl yes krb5_ccname FILE:/tmp/krb5cc_0
Well, first I would test whether, as root:
ldapsearch -H ldap://ldapks1.example.com -b dc=example,dc=com -s base
works or not.
You could also provide interesting logs from both slapd and the KDC when you try to access the DIT from nss_ldap.
I assume you are using kstart to start nscd, and that nscd is running?
(BTW, you should be using pam_krb5, preferably exclusively - without pam_ldap)
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Jaap Winius