RSS feed

Re: Example nslcd.conf file for kerberos?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Example nslcd.conf file for kerberos? writes:

> Is there an example nslcd.conf file when working with kerberos authentication?
> What I have tested so far is as follows. I have setup a real user that
> the daemon will run as, and have given that user a valid kerberos tgt.


> I have not set a value for  sasl_authzid. I assume it is able to find
> the tgt,  because the ldap queries are returned with data. However, in
> debug mode I see these entries at the end of a query:
> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any
> DEBUG: ldap_result(): end of results
> Are the above messages normal, or something indicating a configuration error?

This is normal, without sasl_authzid, nslcd is asked one during the SASL
exchanges. On my openLDAP server, I set authz-regexp to bind
kerberos principal to LDAP user for authorisation.

> By the way, do you know if there is a standard method for client
> services, like nslcd, for renewing and watching for end of lifetimes
> on the kerberos tgt?

Yes, for example the debian package[1] now can use k5start to handle

I attache my configuration.



Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver --recv-keys 0x6A2540D1

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://

# The search base that will be used for all queries.
base dc=baby-gnu,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw *removed*

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

sasl_mech GSSAPI
sasl_realm BABY-GNU.ORG
krb5_ccname /var/run/nslcd/nslcd.tkt
To unsubscribe send an email to or see