Re: Need help in nslcd setup for kerberoes+ldap
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Need help in nslcd setup for kerberoes+ldap
- From: "Raviteja Bailapudi" <rbailapu [at] in.ibm.com>
- To: whm [at] dropbox.com, arthur [at] arthurdejong.org
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Need help in nslcd setup for kerberoes+ldap
- Date: Wed, 5 Dec 2018 12:38:56 +0000
Hi Bill,
'ldapsearch' is working fine in my embedded system.but nslcd still fails to bind to ldap server even after providing the localhost.tgt.
Here is nslcd trace:
nslcd: [8b4567] DEBUG: connection from pid=2045 uid=0 gid=0
nslcd: [8b4567] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectclass=*)(uid=tom))")
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")
nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server ldap://raspberrypi: Not Supported
nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()
Here is nslcd conf:
cat /etc/nslcd.conf
uid root
gid root
uri ldap://raspberrypi
base dc=example,dc=com
scope sub
ldap_version 3
sasl_mech GSSAPI
sasl_realm NETWORKBOX.NET
krb5_ccname FILE:/tmp/localhost.tgt
referrals off
pagesize 1000
filter passwd (objectclass=*)
map passwd gecos displayName
filter group (objectclass=posixGroup)
We got ldapsearch working with GSSAPI,below is detailed output.
./ldapsearch -H ldap://raspberrypi -R NETWORKBOX.NET -Y GSSAPI uid=tom -b "dc=example,dc=com"
SASL/GSSAPI authentication started
SASL username: tom@NETWORKBOX.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=tom
# requesting: ALL
#
# tom, people, example.com
dn: uid=tom,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: tom
sn: j
uid: tom
uidNumber: 1301
gidNumber: 1300
homeDirectory: /home/tom
loginShell: /bin/bash
# search result
search: 4
result: 0 Success
# numResponses: 2
Thanks and Regards,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,
----- Original message -----
From: Bill MacAllister <whm@dropbox.com>
Sent by: "nss-pam-ldapd-users" <nss-pam-ldapd-users-bounces+rbailapu=in.ibm.com@lists.arthurdejong.org>
To: Raviteja Bailapudi <rbailapu@in.ibm.com>
Cc: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Tue, Dec 4, 2018 11:40 PM
On 12/3/18 5:08 AM, Raviteja Bailapudi wrote:
> Hi Bill
> Thank you so much for quick reply.I could progress in getting the
> nslcd working with GSSAPI to fetch the LDAP user details on a debian
> desktop.
> But,now i am trying to get the similar setup working on an embedded
> system, and using the same configuration files, nslcd on embedded
> system fails to bind to LDAP server.
> Here is nslcd trace on my embedded system:
> nslcd: [8b4567] DEBUG: connection from pid=3561 uid=0 gid=0
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> myldap_search(base="dc=example,dc=com",
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_sasl_bind_s(NULL,"GSSAPI",NULL) (uri="ldap://raspberrypi")
> nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server
> ldap://raspberrypi: SASL bind in progress: SASL(0): successful result:
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()
> nslcd: [8b4567] <passwd="tom"> no available LDAP server found,
> sleeping 1 seconds
> Below is my trace on working debian client :
> nslcd: [8b4567] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [8b4567] <passwd="*"> request denied by validnames option
> nslcd: [7b23c6] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> myldap_search(base="dc=example,dc=com",
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result():
> uid=tom,ou=people,dc=example,dc=com
> nslcd: [7b23c6] <passwd="tom"> (re)loading /etc/nsswitch.conf
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): end of results (1
> total)
> I am trying to understand why nslcd calls
> 'ldap_sasl_interactive_bind_s' in debian client setup and calls '
> ldap_sasl_bind_s' in case of my embedded system ?
I am guessing you are using a debian based system. Maybe you are
missing libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal
packages.
Bill
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see https://lists.arthurdejong.org/nss-pam-ldapd-users/
- Need help in nslcd setup for kerberoes+ldap,
Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
- Re: Need help in nslcd setup for kerberoes+ldap,
Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
- Prev by Date: Re: Need help in nslcd setup for kerberoes+ldap
- Next by Date: Re: Need help in nslcd setup for kerberoes+ldap
- Previous by thread: Re: Need help in nslcd setup for kerberoes+ldap
- Next by thread: Re: Need help in nslcd setup for kerberoes+ldap