On Tue, 2017-04-25 at 16:53 -0700, Matt Weatherford wrote: > debian 7 install works fine with certificate auth. > Debian 9 install with same config files appears to not work and > throws these erros: > > Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to > bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication > method: SASL(-4): no mechanism available: > Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available > LDAP server found: Unknown authentication method: Bad file descriptor > Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available > LDAP server found: Server is unavailable: Bad file descriptor
Does running nslcd in debug mode provide more information? > contents of /etc/nslcd.conf: > > uri ldap://ldi.s.uw.edu > ssl start_tls > > tls_cacertfile /etc/ssl/ldi/InCommonCA.crt > tls_cert /etc/ssl/ldi/ldi-client.crt > tls_key /etc/ssl/ldi/ldi-client.key > > sasl_mech EXTERNAL So the client-side certificate is used for authentiction and that is where it appears to fail. Can you make the connection using the ldapsearch command-line tool? The nslcd daemon does not do any TLS handling itself and only passes configuration options to libldap but there are differences between TLS libraries used. Kind regards, -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
