Red Hat Bugzilla – Bug 137646
nscd fails when using nss_ldap with SASL
Last modified: 2007-11-30 17:07:14 EST
Description of problem:
The nscd daemon fails to function when nsswitch.conf is configured to
use ldap and /etc/ldap.conf contains the SASL options
(Account information stored in LDAP via RFC 2307.)
What do I mean fails? If I run id <username> of a valid user id will
return no such user. If I turn off nscd id returns the proper results.
nss_ldap/nscd does contact the LDAP server but only opens and then
closes a connection. No query, gssapi auth, just open and close.
Version-Release number of selected component (if applicable):
First of all, nscd-2.3.3-53 is old, try something newer (e.g. 2.3.3-74
nscd has debug mode if you start it with /usr/sbin/nscd -d > /tmp/nscd.log
After more research I have discovered the source of the problem.
With user information stored in LDAP accessed via the nss_ldap module
there are two ways to use SASL authentication. (Kerberos in this
case.) With the nscd daemon turned off, there is no caching but each
user uses his own credintials to authenticate to the LDAP server.
With nscd turned on root is doing the authentication and retrieval
from the LDAP server wich requires a keytab and a system service ticket.
I would like to be able to use the users' kerberos tickets and still
have the caching nscd provides.
So just set up a system service ticket or stop caching.