Re: Need help in nslcd setup for kerberoes+ldap
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Need help in nslcd setup for kerberoes+ldap
- From: "Raviteja Bailapudi" <rbailapu [at] in.ibm.com>
- To: whm [at] dropbox.com
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Need help in nslcd setup for kerberoes+ldap
- Date: Mon, 3 Dec 2018 13:08:24 +0000
Hi Bill
Thank you so much for quick reply.I could progress in getting the nslcd working with GSSAPI to fetch the LDAP user details on a debian desktop.
But,now i am trying to get the similar setup working on an embedded system, and using the same configuration files, nslcd on embedded system fails to bind to LDAP server.
Here is nslcd trace on my embedded system:
nslcd: [8b4567] DEBUG: connection from pid=3561 uid=0 gid=0
nslcd: [8b4567] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=tom))")
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_sasl_bind_s(NULL,"GSSAPI",NULL) (uri="ldap://raspberrypi")
nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server ldap://raspberrypi: SASL bind in progress: SASL(0): successful result:
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()
nslcd: [8b4567] <passwd="tom"> no available LDAP server found, sleeping 1 seconds
Below is my trace on working debian client :
nslcd: [8b4567] DEBUG: connection from pid=370 uid=0 gid=0
nslcd: [8b4567] <passwd="*"> request denied by validnames option
nslcd: [7b23c6] DEBUG: connection from pid=370 uid=0 gid=0
nslcd: [7b23c6] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=tom))")
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")
nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any
nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): uid=tom,ou=people,dc=example,dc=com
nslcd: [7b23c6] <passwd="tom"> (re)loading /etc/nsswitch.conf
nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): end of results (1 total)
I am trying to understand why nslcd calls 'ldap_sasl_interactive_bind_s' in debian client setup and calls ' ldap_sasl_bind_s' in case of my embedded system ?
Is it the reason for nslcd for getting a bind failure ?
Here is my nslcd.conf :
root@mysystem:~# cat /etc/nslcd.conf
uid root
gid root
uri ldap://raspberrypi
base dc=example,dc=com
scope sub
ldap_version 3
sasl_mech GSSAPI
krb5_ccname FILE:/run/localhost.tgt
referrals off
pagesize 1000
Thanks and Regards,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,
----- Original message -----
From: Bill MacAllister <whm@dropbox.com>
Sent by: "nss-pam-ldapd-users" <nss-pam-ldapd-users-bounces+rbailapu=in.ibm.com@lists.arthurdejong.org>
To: nss-pam-ldapd-users@lists.arthurdejong.org
Cc:
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Thu, Nov 29, 2018 2:49 AM
On 11/28/18 7:06 AM, Raviteja Bailapudi wrote:
> Hi
> I have working a setup of (LDAPSEARCH+GSSAPI) and was able to
> successfully get the ldap user details using the ldapseach after
> getting the tokens using Kinit.
> Now, i am trying to replicate the similar client setup using pam_krb5
> and nslcd.Can you please help by providing a sample configuration for
> nslcd(which uses GSSAPI and krb5_ccname) ?
krb5_ccname needs to point to a valid Kerberos ticket cache. Here are
the relevant authorization bits from our nslcd.conf:
sasl_mech GSSAPI
krb5_ccname FILE:/var/run/host.tgt
We use a systemd unit file like the following to maintain that ticket cache.
[Unit]
Description=Maintain Localhost Kerberos Ticket Cache
[Service]
ExecStart=/usr/bin/k5start -L -K 6 -l 10h -f /etc/krb5.keytab \
-k /run/localhost.tgt host/somehost.com
[Install]
WantedBy=multi-user.target
Basically it just makes sure that k5start is running.
> Do still we require bind_dn and bind_passwd for nslcd(while using
> GSSAPI method for authentication) ?
No, a valid keytab file is sufficient.
> And how would i generate the content for krb5_ccname?
See above.
Bill
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see https://lists.arthurdejong.org/nss-pam-ldapd-users/
- Need help in nslcd setup for kerberoes+ldap,
Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
- Prev by Date: Re: Need help in nslcd setup for kerberoes+ldap
- Next by Date: Re: Need help in nslcd setup for kerberoes+ldap
- Previous by thread: Re: Need help in nslcd setup for kerberoes+ldap
- Next by thread: Re: Need help in nslcd setup for kerberoes+ldap