[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP/Kerberos client config

On Monday, 25 January 2010 17:46:59 Jaap Winius wrote:
> Hi all,

I don't see a reply to this, did you resolve it?

> Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
> I'm attempting to devise a suitable (Debian lenny) client setup for it.
> Although I hear that it may not be the best approach, I'm currently
> pursuing a client configuration that includes kstart, libnss-ldap,
> nscd and libpam-ldap. At the moment I'm happy with all of it except
> libnss-ldap.
> Kstart has no problem obtaining an initial Kerberos ticket, but I
> can't get libnss-ldap to use it to access the DIT. So far my
> libnss-ldap.conf looks like:
>     base dc=example,dc=com
>     uri ldap://ldapks1.example.com/
>     ldap_version 3
>     rootuse_sasl yes
>     krb5_ccname FILE:/tmp/krb5cc_0

Well, first I would test whether, as root:

ldapsearch -H ldap://ldapks1.example.com -b dc=example,dc=com -s base

works or not.

You could also provide interesting logs from both slapd and the KDC when you 
try to access the DIT from nss_ldap.

I assume you are using kstart to start nscd, and that nscd is running?

(BTW, you should be using pam_krb5, preferably exclusively - without pam_ldap)