[Date Prev][Date Next]
Re: LDAP/Kerberos client config
On Monday, 25 January 2010 17:46:59 Jaap Winius wrote:
> Hi all,
I don't see a reply to this, did you resolve it?
> Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
> I'm attempting to devise a suitable (Debian lenny) client setup for it.
> Although I hear that it may not be the best approach, I'm currently
> pursuing a client configuration that includes kstart, libnss-ldap,
> nscd and libpam-ldap. At the moment I'm happy with all of it except
> Kstart has no problem obtaining an initial Kerberos ticket, but I
> can't get libnss-ldap to use it to access the DIT. So far my
> libnss-ldap.conf looks like:
> base dc=example,dc=com
> uri ldap://ldapks1.example.com/
> ldap_version 3
> rootuse_sasl yes
> krb5_ccname FILE:/tmp/krb5cc_0
Well, first I would test whether, as root:
ldapsearch -H ldap://ldapks1.example.com -b dc=example,dc=com -s base
works or not.
You could also provide interesting logs from both slapd and the KDC when you
try to access the DIT from nss_ldap.
I assume you are using kstart to start nscd, and that nscd is running?
(BTW, you should be using pam_krb5, preferably exclusively - without pam_ldap)