-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/05/2010 08:21 AM, Timo Aaltonen wrote:
On Wed, 4 Aug 2010, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/04/2010 10:18 AM, Timo Aaltonen wrote:
On Mon, 2 Aug 2010, Patrik Martinsson wrote:
ldap_tls_reqcert = demand ldap_tls_cacert = /etc/openldap/cacerts/CADOUBLE.cer ldap_tls_cacertdir = /etc/openldap/cacerts
I guess this doesn't work with GSSAPI SASL binding yet? Tried to force the authid to FOO$@REALM, but it fails just the same.
it's harder to automatically generate certificates for the clients, that's why I'm interested in getting this working :)
I'm not sure what you're asking for here.
I think what you're talking about is using: ldap_sasl_mech = gssapi ldap_krb5_keytab = /path/to/ldap.keytab
I did that, but it doesn't seem to work, or somethings missing still. It said something like "marking ldap server foo as broken" (sorry no logs, reinstalling the machine).
Someone else just reported this same issue to me :(
Can you attach the /var/log/sssd/sssd_<domain>.log and /var/log/sssd/ldap_child.log for this?
I suspect you'll see the ldap_child.log report that it couldn't find a KDC for the realm.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/