On Sat, 11 Jun 2011, Dan White wrote:
Do you have libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal
installed, and what version?
ii libsasl2-modules-gssapi-heimdal 2.1.24~rc1.dfsg1+cvs2011-05-23-4
Is your slapd running on a separate host?
No, 'tis using ldapi://
If so, is it using the same version of libsasl2-modules-gssapi-*?
I have not upgraded my master servers until this is cleared, but the
laptop (sacraficial testsite) has its own copy of ldap/kdc/etc.
Do you see anything useful in your /var/log/auth.log on the server or
client?
Yes, interestingly, this shows up for both failure modes:
Jun 11 15:37:02 sparks-ave ldapwhoami: canonuserfunc error -7
Jun 11 15:37:02 sparks-ave ldapwhoami: _sasl_plugin_load failed on
sasl_canonuser_init for plugin: ldapdb
This one for the succes case:
Jun 11 15:37:02 sparks-ave ldapwhoami: DIGEST-MD5 common mech free
What kerberos server are you using,
ii heimdal-kdc 1.4.0-6
and do you see anything in it's syslog output?
No, just the expected:
AS-REQ host/<...> from IPv4:127.0.0.1 for krbtgt/<...>
Would you mind sharing an anonymized copy of your /etc/ldap.conf and
~/.ldaprc?
Not at all :)
/etc/ldap/ldap.conf:
BASE dc=<...>
URI ldapi:///
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERTDIR /etc/ssl/certs
TLS_CRLCHECK none
TLS_REQCERT allow
~/.ldaprc:
SASL_MECH gssapi
--
Rick Nelson
Connection reset by some moron with a backhoeb
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
