Re: Need help in nslcd setup for kerberoes+ldap

[Bill MacAllister <whm [at] dropbox.com>]

On 12/3/18 5:08 AM, Raviteja Bailapudi wrote:
> Hi Bill
> Thank you so much for quick reply.I could progress in getting the 
> nslcd working with GSSAPI to fetch the LDAP user details on a debian 
> desktop.
> But,now i am trying to get the similar setup working on an embedded 
> system, and using the same configuration files, nslcd on embedded 
> system fails to bind to LDAP server.
> Here is nslcd trace on my embedded system:
> nslcd: [8b4567] DEBUG: connection from pid=3561 uid=0 gid=0
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> myldap_search(base="dc=example,dc=com", 
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd="tom"> DEBUG: 
> ldap_sasl_bind_s(NULL,"GSSAPI",NULL) (uri="ldap://raspberrypi";)
> nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server 
> ldap://raspberrypi: SASL bind in progress: SASL(0): successful result:
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()
> nslcd: [8b4567] <passwd="tom"> no available LDAP server found, 
> sleeping 1 seconds
> Below is my trace on working debian client :
> nslcd: [8b4567] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [8b4567] <passwd="*"> request denied by validnames option
> nslcd: [7b23c6] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> myldap_search(base="dc=example,dc=com", 
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi";)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): 
> uid=tom,ou=people,dc=example,dc=com
> nslcd: [7b23c6] <passwd="tom"> (re)loading /etc/nsswitch.conf
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): end of results (1 
> total)
> I am trying to understand why nslcd calls 
> 'ldap_sasl_interactive_bind_s' in debian client setup and calls ' 
> ldap_sasl_bind_s'  in case of my embedded system ?
I am guessing you are using a debian based system.  Maybe you are 
missing libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal 
packages.

Bill
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/