[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with nss-ldap using GSSAPI

On Wednesday, 30 December 2009 12:32:32 Wojtek Polcwiartek wrote:
> Hello,
> we use ldap as name source in our system (libnss-ldap).
> Until now we used anonymous bind with LDAP and it worked fine.
> Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent
> passwd <name>') does not work: no result is returned/printed.
> Strange is that, when we run the query in debug-mode (debug 7 in
> /etc/ldap.conf), you can see the correct result in the debug part (in
> "hexes") but at the end no result is printed .
> The only error message we could see is:
> res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>

Can you provide your /etc/ldap.conf (or, at least the relevant parts, such as 
host/uri, use_sasl, rootuse_sasl, krb5_ccname etc.), as well as output from a 
relevant klist command.

> Querying LDAP with ldapsearch still works fine.

With GSSAPI? Can you provide an example (including the output)?

> Do You have any idea how to get closer to the source of the problem?
> We use Ubuntu Karmic as client (repo package) and Solaris10 (with
> OpenLdap 2.4.16) as server.

I have no problems on Mandriva (e.g. 2010.0), and with sudo 1.7.x, even sudo 
now supports GSSAPI for sudo rules in LDAP.