Dear list! I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. I having rather strange problem with SASL. I have two posixGroups. The first is cn=peopleGroup,ou=people,dc=example,dc=com and the other is cn=testGroup,ou=Groups,dc=example,dc=com testGroup is affected by Pointer CoS - this important! On client I run: # kinit foo # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=peopleGroup))' Search returns sane results. However running serach for testGroup returns the following: --------------------------- # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=testGroup))' SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: foo at EXAMPLE.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (&(objectClass=posixGroup)(cn=testGroup)) # requesting: ALL # ldap_result: Can't contact LDAP server (-1) --------------------------- If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK (but of course I do not get any of 'uniquememeber' attributes that come from CoS). The most strange things is however that if I set SASL_SECPROPS maxssf=0 in /etc/openldap/ldap.conf, then everything works just fine (but no security). To the end, here is what FDS access log says: [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from 10.0.2.236 to 10.0.0.10 [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=example,dc=com" [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=testGroup))" attrs=ALL [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 It looks like server just drops connection. Error logs indicate nothing. Any ideas anyone? -- Zaar