RSS feed

Re: Need help in nslcd setup for kerberoes+ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Need help in nslcd setup for kerberoes+ldap

On 11/28/18 7:06 AM, Raviteja Bailapudi wrote:
I have working a setup of (LDAPSEARCH+GSSAPI) and was able to successfully get the ldap user details using the ldapseach after getting the tokens using Kinit. Now, i am trying to replicate the similar client setup using pam_krb5 and nslcd.Can you please help by providing a sample configuration for nslcd(which uses GSSAPI and krb5_ccname) ?
krb5_ccname needs to point to a valid Kerberos ticket cache.  Here are the relevant authorization bits from our nslcd.conf:

sasl_mech GSSAPI
krb5_ccname FILE:/var/run/host.tgt

We use a systemd unit file like the following to maintain that ticket cache.

Description=Maintain Localhost Kerberos Ticket Cache

ExecStart=/usr/bin/k5start -L -K 6 -l 10h -f /etc/krb5.keytab \
    -k /run/localhost.tgt host/


Basically it just makes sure that k5start is running.
Do still we require bind_dn and bind_passwd for nslcd(while using GSSAPI method for authentication) ?
No, a valid keytab file is sufficient.
And how would i generate the content for krb5_ccname?
See above.


To unsubscribe send an email to or see