Arthur,
Im sure you have many, many other projects going but I am motivated to
solve this problem - is there anything else I can try on my side? I've
sent you nslcd debug info ... anything else I can do?
do you know of anyone who has a working cert-based auth on debian 9?
thanks,
Matt
On 4/26/17 2:08 AM, Arthur de Jong wrote:
On Tue, 2017-04-25 at 16:53 -0700, Matt Weatherford wrote:
debian 7 install works fine with certificate auth.
Debian 9 install with same config files appears to not work and
throws these erros:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> failed to
bind to LDAP server ldap://ldi.s.uw.edu: Unknown authentication
method: SASL(-4): no mechanism available:
Apr 25 16:41:08 nori nslcd[1376]: [52255a] <passwd(all)> no available
LDAP server found: Unknown authentication method: Bad file descriptor
Apr 25 16:41:13 nori nslcd[1376]: [9cf92e] <group(all)> no available
LDAP server found: Server is unavailable: Bad file descriptor
Does running nslcd in debug mode provide more information?
contents of /etc/nslcd.conf:
uri ldap://ldi.s.uw.edu
ssl start_tls
tls_cacertfile /etc/ssl/ldi/InCommonCA.crt
tls_cert /etc/ssl/ldi/ldi-client.crt
tls_key /etc/ssl/ldi/ldi-client.key
sasl_mech EXTERNAL
So the client-side certificate is used for authentiction and that is
where it appears to fail.
Can you make the connection using the ldapsearch command-line tool? The
nslcd daemon does not do any TLS handling itself and only passes
configuration options to libldap but there are differences between TLS
libraries used.
Kind regards,
