[Date Prev][Date Next]
Re: Problem with nss-ldap using GSSAPI
On Wednesday, 30 December 2009 12:32:32 Wojtek Polcwiartek wrote:
> we use ldap as name source in our system (libnss-ldap).
> Until now we used anonymous bind with LDAP and it worked fine.
> Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent
> passwd <name>') does not work: no result is returned/printed.
> Strange is that, when we run the query in debug-mode (debug 7 in
> /etc/ldap.conf), you can see the correct result in the debug part (in
> "hexes") but at the end no result is printed .
> The only error message we could see is:
> res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>
Can you provide your /etc/ldap.conf (or, at least the relevant parts, such as
host/uri, use_sasl, rootuse_sasl, krb5_ccname etc.), as well as output from a
relevant klist command.
> Querying LDAP with ldapsearch still works fine.
With GSSAPI? Can you provide an example (including the output)?
> Do You have any idea how to get closer to the source of the problem?
> We use Ubuntu Karmic as client (repo package) and Solaris10 (with
> OpenLdap 2.4.16) as server.
I have no problems on Mandriva (e.g. 2010.0), and with sudo 1.7.x, even sudo
now supports GSSAPI for sudo rules in LDAP.