On Monday, 25 January 2010 17:46:59 Jaap Winius wrote: > Hi all, > I don't see a reply to this, did you resolve it?
> Now that I'm satisfied with my OpenLDAP/Kerberos server configuration, > I'm attempting to devise a suitable (Debian lenny) client setup for it. > > Although I hear that it may not be the best approach, I'm currently > pursuing a client configuration that includes kstart, libnss-ldap, > nscd and libpam-ldap. At the moment I'm happy with all of it except > libnss-ldap. > > Kstart has no problem obtaining an initial Kerberos ticket, but I > can't get libnss-ldap to use it to access the DIT. So far my > libnss-ldap.conf looks like: > > base dc=example,dc=com > uri ldap://ldapks1.example.com/ > ldap_version 3 > rootuse_sasl yes > krb5_ccname FILE:/tmp/krb5cc_0 Well, first I would test whether, as root: ldapsearch -H ldap://ldapks1.example.com -b dc=example,dc=com -s base works or not. You could also provide interesting logs from both slapd and the KDC when you try to access the DIT from nss_ldap. I assume you are using kstart to start nscd, and that nscd is running? (BTW, you should be using pam_krb5, preferably exclusively - without pam_ldap) Regards, Buchan
