Re: Example nslcd.conf file for kerberos?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Example nslcd.conf file for kerberos?
- From: Daniel Dehennin <daniel.dehennin [at] baby-gnu.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Example nslcd.conf file for kerberos?
- Date: Fri, 10 Sep 2010 22:13:20 +0200
ddmayne@xmission.com writes:
> Is there an example nslcd.conf file when working with kerberos authentication?
> What I have tested so far is as follows. I have setup a real user that
> the daemon will run as, and have given that user a valid kerberos tgt.
[...]
> I have not set a value for sasl_authzid. I assume it is able to find
> the tgt, because the ldap queries are returned with data. However, in
> debug mode I see these entries at the end of a query:
> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any
> DEBUG: ldap_result(): end of results
>
> Are the above messages normal, or something indicating a configuration error?
This is normal, without sasl_authzid, nslcd is asked one during the SASL
exchanges. On my openLDAP server, I set authz-regexp to bind
kerberos principal to LDAP user for authorisation.
> By the way, do you know if there is a standard method for client
> services, like nslcd, for renewing and watching for end of lifetimes
> on the kerberos tgt?
Yes, for example the debian package[1] now can use k5start to handle
this.
I attache my configuration.
Regards.
Footnotes:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586532
--
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://192.168.122.4
# The search base that will be used for all queries.
base dc=baby-gnu,dc=org
# The LDAP protocol version to use.
#ldap_version 3
# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw *removed*
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
#ssl off
#tls_reqcert never
# The search scope.
#scope sub
sasl_mech GSSAPI
sasl_realm BABY-GNU.ORG
krb5_ccname /var/run/nslcd/nslcd.tkt
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
