[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP/Kerberos client config

To: openldap-technical@openldap.org
Subject: Re: LDAP/Kerberos client config
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 5 Feb 2010 10:55:46 +0100
Cc: Jaap Winius <jwinius@umrk.nl>
In-reply-to: <20100125174659.hen83j1m8co4ssow@www.umrk.nl>
References: <20100125174659.hen83j1m8co4ssow@www.umrk.nl>
User-agent: KMail/1.12.2 (Linux/2.6.31.6-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Monday, 25 January 2010 17:46:59 Jaap Winius wrote:
> Hi all,
> 

I don't see a reply to this, did you resolve it?

> Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
> I'm attempting to devise a suitable (Debian lenny) client setup for it.
> 
> Although I hear that it may not be the best approach, I'm currently
> pursuing a client configuration that includes kstart, libnss-ldap,
> nscd and libpam-ldap. At the moment I'm happy with all of it except
> libnss-ldap.
> 
> Kstart has no problem obtaining an initial Kerberos ticket, but I
> can't get libnss-ldap to use it to access the DIT. So far my
> libnss-ldap.conf looks like:
> 
>     base dc=example,dc=com
>     uri ldap://ldapks1.example.com/
>     ldap_version 3
>     rootuse_sasl yes
>     krb5_ccname FILE:/tmp/krb5cc_0

Well, first I would test whether, as root:

ldapsearch -H ldap://ldapks1.example.com -b dc=example,dc=com -s base

works or not.

You could also provide interesting logs from both slapd and the KDC when you 
try to access the DIT from nss_ldap.

I assume you are using kstart to start nscd, and that nscd is running?

(BTW, you should be using pam_krb5, preferably exclusively - without pam_ldap)


Regards,
Buchan

Prev by Date: nssov overlay and hostservice
Next by Date: Re: ppolicy : managing passwords by another user than root
Index(es):
- Chronological
- Thread