[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with nss-ldap using GSSAPI

To: openldap-technical@openldap.org
Subject: Re: Problem with nss-ldap using GSSAPI
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 4 Jan 2010 12:30:44 +0100
Cc: Wojtek Polcwiartek <polcwiartek@tubit.tu-berlin.de>
In-reply-to: <4B3B3A50.2090501@tubit.tu-berlin.de>
References: <4B3B3A50.2090501@tubit.tu-berlin.de>
User-agent: KMail/1.12.2 (Linux/2.6.31.5-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Wednesday, 30 December 2009 12:32:32 Wojtek Polcwiartek wrote:
> Hello,
> 
> we use ldap as name source in our system (libnss-ldap).
> Until now we used anonymous bind with LDAP and it worked fine.
> Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent
> passwd <name>') does not work: no result is returned/printed.
> Strange is that, when we run the query in debug-mode (debug 7 in
> /etc/ldap.conf), you can see the correct result in the debug part (in
> "hexes") but at the end no result is printed .
> The only error message we could see is:
> res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>

Can you provide your /etc/ldap.conf (or, at least the relevant parts, such as 
host/uri, use_sasl, rootuse_sasl, krb5_ccname etc.), as well as output from a 
relevant klist command.

> Querying LDAP with ldapsearch still works fine.

With GSSAPI? Can you provide an example (including the output)?

> Do You have any idea how to get closer to the source of the problem?
> We use Ubuntu Karmic as client (repo package) and Solaris10 (with
> OpenLdap 2.4.16) as server.

I have no problems on Mandriva (e.g. 2010.0), and with sudo 1.7.x, even sudo 
now supports GSSAPI for sudo rules in LDAP.

Regards,
Buchan

Follow-Ups:
- Re: Problem with nss-ldap using GSSAPI
  - From: Wojtek Polcwiartek <polcwiartek@tubit.tu-berlin.de>

Next by Date: ldap_modify_s Insufficient access
Index(es):
- Chronological
- Thread