This one stumped me for awhile and I finally figured it out. I run Novell Domain Services for Windows to emulate my AD environement and I was having the same ldap issue. I did packet captures, ldap traces all kind of stuff. Once I determed the problem was on the appliance, this is my method of troubleshootnig and the way I solved it:
Synchronization Mode - Active Directory/Open Directory/LDAP
When attempting to browsing the directory it would immediately fail.
Found the the logv/var/log/eset/RemoteAdministrator/Server/trace.log
2015-03-31 17:10:42 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache permissions incorrect) 2015-03-31 17:10:44 Error: CServerStaticGroupsModule [Thread 7fcc37be5700]: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache permissions incorrect) 2015-03-31 17:10:44 Error: ConsoleApiModule [Thread 7fcc35de2700]: 9 Error while getting synchronization nodes: SearchLdap: 'ldapsearch' failed with 254 exit code, stderr: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache permissions incorrect)
This error points to permission problems with the krb5 keystore file.
Kinit works fine and klist shows:
[root@eset-us audit]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: User@DOMAIN.COM Valid starting Expires Service principal 03/31/15 12:14:41 03/31/15 22:14:41 krbtgt/DOMAIN.COM@DOMAIN.COM renew until 04/01/15 12:14:47 03/31/15 12:14:42 03/31/15 22:14:41 ldap/server.domain.com@ renew until 04/01/15 12:14:47 03/31/15 12:14:42 03/31/15 22:14:41 ldap/server.domain.com@DOMAIN.COM renew until 04/01/15 12:14:47
Looked at the keystore file /tmp/krb5cc_0
[root@eset-us tmp]# ls -l krb5cc_0 -rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0
[root@eset-us tmp]# ls -Z krb5cc_0 -rw-------. root root unconfined_u:object_r:user_tmp_t:s0 krb5cc_0
Looked in the SELINUX audit log and found:
type=AVC msg=audit(1427479161.221:395): avc: denied { unlink } for pid=21111 comm="kinit" name="krb5cc_0" dev=dm-0 ino=262297 scontext=system_u:system_r:eraserver_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
showing that the keystore file was in the wrong context that SELINUX wanted it so it was denied access.
Edited the /etc/selinux/config file and changed the entries:
From: SELINUX=enforcing
To: SELINUX=permissive
Next reloaded SELINUX
semodule -R
I can't remember if I had to reboot or not but it started working.
Looked at the keystore file /tmp/krb5cc_0 again
[root@eset-us tmp]# ls -l krb5cc_0 -rw-------. 1 root root 3524 Mar 31 12:14 krb5cc_0
[root@eset-us tmp]# ls -Z krb5cc_0 -rw-------. root root system_u:object_r:eraserver_tmp_t:s0 krb5cc_0
Notice the context changed to match the what the audit log had expected. system_u and eraserver_tmp_t
Again edited the /etc/selinux/config file and changed the entries:
From: SELINUX=permissive
To: SELINUX=enforcing
Next reloaded SELINUX
semodule -R
Did not change after the reboot. So the browse function is still working.
Hope this helps