What do you mean by host certificate? Are you using SSL/TLS to the LDAP server? Or are you referring to Kerberos and the host's key in the keytab, or the service ticket for the host, or the service tick to use with an LDAP connection?
David Bond wrote: > Hi, > > just tested with a user in the domain, Do you mean realm or domain? Domain implies the KDC is Windows AD. > that has a valid ticket A valid krbtgt, or do you mean a valid service ticket for the host? > after the host ticket is either renewed or needs renewing, the ldaplist -l > passwd test command returns data, so does the getent passwd test > > again the ldaplist -l passwd test works with root (running the command > appears to renew the ticket at the time, as it had expired before running it) > > but getent passwd test still doesnt work for root. Are you running nscd? If not try running it. Without it, the client may try and connect to the LDAP server as the user, rather then as root. > > Attempting to login with the user test results in the prompt hanging after > typing the user name, no request for the password. > > If i then touch the resolv.conf file, and then run the getent command, the > password prompt appears and allows me to login. Sounds like the nscd or the libldap has a connection open using a ticket, and the ticket expires, and the server then drops the connection, but the nscd or ldap lib does not reconnect. A network trace might show something. /usr/sbin/ldapclient list NS_LDAP_AUTH should show how you are connecting to the ldap server. -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
