Nabble - NSS LDAP

Re: Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T05:45:09Z

On 04/07/2008, at 9:46 PM, Tim Small wrote:

> Hello,
>
> I was wondering if there had been any progress on this issue? I've
> hit the same thing recently myself.
>
> In particular, would it be possible to manually downgrade to an
> older nscd binary as a workaround, and if so, any ideas what the
> implications of this would be (apart from any future security
> updates etc.)?
>
> It also occurred to me that downloading and compiling the nscd
> source from opensolaris might be a useful debugging route...

I took a look at the OpenSolaris nss_ldap code today. The interface
has changed significantly -- it will be a fair bit of work to support
the new interfaces (not impossible, though).

-- Luke

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T04:46:30Z

Hello,

I was wondering if there had been any progress on this issue? I've hit
the same thing recently myself.

In particular, would it be possible to manually downgrade to an older
nscd binary as a workaround, and if so, any ideas what the implications
of this would be (apart from any future security updates etc.)?

It also occurred to me that downloading and compiling the nscd source
from opensolaris might be a useful debugging route...

Regards,

Tim.

--
South East Open Source Solutions Limited
Registered in England and Wales with company number 06134732.
Registered Office: 71 Tylehurst Drive, Redhill, Surrey, RH1 6EL
VAT number: 900 6633 53 http://seoss.co.uk/ +44-(0)1273-808309

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-07-04T03:41:55Z

Hello,

I was wondering if there had been any progress on this issue? I've hit the
same thing recently myself.

In particular, would it be possible to manually downgrade to an older nscd
binary as a workaround, and if so, any ideas what the implications of this
would be?

It also occurred to me that downloading and compiling the nscd source from
opensolaris might be a useful debugging route...

Regards,

Tim.
--
View this message in context: http://www.nabble.com/Solaris-10%3A-As-soon-as-nscd-is-running-getpwnam-on-a-ldap-account-fails-tp17713578p18277063.html
Sent from the NSS LDAP mailing list archive at Nabble.com.

Re: Kerberos Autorenew and Autorefresh

2008-07-02T03:15:30Z

Hallo Howard,

* Howard Wilkinson <howard@...> [080702 11:37]:
> About a year ago I contributed some code to the nss_ldap core which
> appeared in the mainstream for release 258. This code supports auto renew
> and auto refresh of Kerberos tickets using either a previously created
> cache or a keytab. I have been running kstart to get the initial ticket but
> tried to turn this feature off and let the initial ticket be created by the
> code in nss_ldap. This has not worked for me :-[ and I was wondering if
> anybody else has tried and succeeded with this.

> So can I get a poll of anybody who is using these features and what sort of
> success they have had with them.

> I am going to debug my problem over the next few days but if anybody has a
> working config and would be willing to share I would be grateful

never used it, thought about it, but I saw this morning the following
bugreport including patch, hopefully it helps you get going. Please let
me know if you succeed because I'm heavily thinking about such a setup.

http://bugzilla.padl.com/show_bug.cgi?id=368

Thomas

Kerberos Autorenew and Autorefresh

2008-07-01T08:30:15Z

About a year ago I contributed some code to the nss_ldap core which
appeared in the mainstream for release 258. This code supports auto
renew and auto refresh of Kerberos tickets using either a previously
created cache or a keytab. I have been running kstart to get the initial
ticket but tried to turn this feature off and let the initial ticket be
created by the code in nss_ldap. This has not worked for me :-[ and I
was wondering if anybody else has tried and succeeded with this.

So can I get a poll of anybody who is using these features and what sort
of success they have had with them.

I am going to debug my problem over the next few days but if anybody has
a working config and would be willing to share I would be grateful

Howard.

Re: client timeout - update

2008-06-23T13:23:50Z

Buchan Milne wrote:

> On Wednesday 11 June 2008 17:03:23 Eric Ritchie wrote:
>
>> I'm using LDAP for passwd, group, automap and netgroup functions, it is
>> a replacement for NIS. When the OS is using LDAP for these functions,
>> such as id or finger, it uses /lib/libnss_ldap.so and the /etc/ldap.conf
>> file. When I run any of the ldap commands, such as ldapsearch, it uses
>> /usr/lib/libldap and /etc/openldap/ldap.conf. I'm more concerned with
>> the OS hanging when it tries to perform an LDAP lookup than ldapsearch
>> hanging. So I would need a newer libnss_ldap to take advantage of new
>> OpenLDAP features.
>>
>
> Most likely it would be sufficient to install newer OpenLDAP libraries, and
> compile nss_ldap against the newer libraries.
>

OpenLDAP 2.4.10 NETWORK_TIMEOUT feature definitely works much better. I
installed the ldapsearch program and the client libraries. When I
shutdown a server, ldapsearch hangs for just a second and then connects
to the next server, before it would hang for a really long time.
Recompiling nss_ldap is a little over my head. I tried downloading
nss_ldap from PADL and compiling it with the latest LDAP libraries but
its still ignoring the NETWORK_TIMEOUT setting. If I set bind_timelimit
to 1, there is still about a 10 second delay when the OS is querying
LDAP, it doesn't seem to matter if I set bind_policy to soft, getting
nss_ldap to support the new NETWORK_TIMEOUT would really help.

Eric

> However, in my case, bind_policy soft is sufficient to prevent problems when a
> server "fails" (well, more often the client's networking isn't correctly
> configured). But, if the client can't reach the server (bad routing, firewall
> dropping packets instead of denying), then I would expect the behaviour you
> are seeing, or if the LDAP server were to hang on an open connection (but I
> haven't seen that in a few years).
>
> Regards,
> Buchan
>
>
>

--
Eric Ritchie
Interactive Brokers LLC
203-618-5868

SASL DIGEST-MD5?

2008-06-16T11:25:56Z

Greetings,

I'm trying to get DIGEST-MD5 authentication working in my nss_ldap config, but I seem to be having problems. Basically, I have a slapd server proxying to an Active Directory server. With a simple bind, it works just fine. As for the SASL authentication, I know it works through my slapd proxy because I've verified it with ldapsearch/ldapwhoami commands, but it doesn't work through nss_ldap.

[user@host ~]$ ldapsearch -LLL -U ldaptest@company.com "uid=ldaptest" cn
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: ldaptest@company.com
SASL SSF: 128
SASL data security layer installed.
dn: cn=Ldap Test,ou=Users,dc=company,dc=com
cn: Ldap Test

However, when I try to id my user:
[user@host ~]$ id ldaptest
id: ldaptest: No such user

The following is the output from my slap debug logging when I run the 'id' command:
slapd[11329]: conn=22 fd=11 ACCEPT from IP=10.1.0.220:5947 (IP=0.0.0.0:389)
slapd[11329]: conn=22 op=0 BIND dn="" method=128
slapd[11329]: conn=22 op=0 RESULT tag=97 err=0 text=
slapd[11329]: conn=22 op=1 SRCH base="ou=Users,dc=company,dc=com" scope=2 deref=0 filter="(&(?objectClass=user)(?SAMACCOUNTNAME=ldaptest))"
slapd[11329]: conn=22 op=1 SRCH attr=sAMAccountName userPassword uidNumber gidNumber cn unixHomeDirectory loginShell gecos description objectClass
slapd[11329]: conn=22 op=2 UNBIND
slapd[11329]: conn=22 op=1 SEARCH RESULT tag=101 err=48 nentries=0 text=
slapd[11329]: conn=22 fd=11 closed

And, the output when I successfully run the ldapsearch command above:
slapd[11329]: conn=26 fd=11 ACCEPT from IP=10.1.0.220:54539 (IP=0.0.0.0:389)
slapd[11329]: conn=26 op=0 BIND dn="" method=163
slapd[11329]: conn=26 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
slapd[11329]: conn=26 op=1 BIND dn="" method=163
slapd[11329]: conn=26 op=1 BIND authcid="ldaptest@company.com" authzid="ldaptest@company.com"
slapd[11329]: conn=26 op=1 BIND dn="uid=ldaptest@company.com,cn=digest-md5,cn=auth" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
slapd[11329]: conn=26 op=1 RESULT tag=97 err=0 text=
slapd[11329]: conn=26 op=2 SRCH base="ou=Users,dc=company,dc=com" scope=2 deref=0 filter="(uid=ldaptest)"
slapd[11329]: conn=26 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[11329]: conn=26 op=3 UNBIND
slapd[11329]: conn=26 fd=11 closed

From the looks of it to me, nss_ldap is not using the correct 'method' when it's doing the search, as indicated in bold above. My /etc/ldap.conf looks like this:

host ldaphost.company.com
base ou=Users,dc=company,dc=com
scope sub
timelimit 120
bind_timelimit 1200
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=Users,dc=company,dc=com?sub
nss_base_shadow ou=Users,dc=company,dc=com?sub
nss_base_group ou=Groups,dc=company,dc=com?one
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
pam_sasl_mech DIGEST-MD5
sasl_secprops maxssf=0
sasl_authid ldaptest@company.com

Am I using the wrong options in ldap.conf (pam_sasl_mech, etc.)? I've tried enabling the "use_sasl on" feature, but it seems to cause a "local error" in the logs when I try to search with that. Do I need to recompile with some special options enabled?

I'm using nss_ldap 2.53 -> openldap 2.4.9 -> AD (Windows 2K3 R2).

Any help is greatly appreciated. Thanks.

release 0.6.3 of nss-ldapd

2008-06-15T07:48:23Z

A new release of nss-ldapd was made which fixes a number of bugs in the
0.6.2 release and tries to focus in stabillity. This release is
available from:
http://ch.tudelft.nl/~arthur/nss-ldapd/

Some more improvements to the retry and fail-over mechanism have been
made and support for groups with up to around 150000 members has been
added. The nslcd daemon can now be run under a separate user and group
and SASL authentication has been improved.

For more information and changes in this release, please see the URL
above. Any feedback is greatly appreciated. Thanks for all the feedback
already provided.

--
-- arthur - arthur@... - http://ch.tudelft.nl/~arthur --

signature.asc (204 bytes) Download Attachment

Re: client timeout

2008-06-11T08:03:23Z

I'm using LDAP for passwd, group, automap and netgroup functions, it is
a replacement for NIS. When the OS is using LDAP for these functions,
such as id or finger, it uses /lib/libnss_ldap.so and the /etc/ldap.conf
file. When I run any of the ldap commands, such as ldapsearch, it uses
/usr/lib/libldap and /etc/openldap/ldap.conf. I'm more concerned with
the OS hanging when it tries to perform an LDAP lookup than ldapsearch
hanging. So I would need a newer libnss_ldap to take advantage of new
OpenLDAP features.

Thanks

Eric

Howard Chu wrote:

> Eric Ritchie wrote:
>> I'm having an issue with client response when a server fails. This may
>> be the same issue discussed in the thread "No timeout for nss ldap". I
>> have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
>> I configured the uri line with the 3 servers on each client:
>> uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6
>>
>> If I go to the first ldap server and stop slapd, there is no noticeable
>> effect on the clients. If I shut down the server, or disable the
>> network, the clients will hang. I have experimented with bind_timelimit
>> and bind_policy. Changing the bind_policy did not seem to have any
>> effect. Setting the bind_timelimit to 1 and running nscd seem to help
>> clients the most. Is there any way I can configure the clients to better
>> handle an LDAP server shutdown?
>
> Upgrade to OpenLDAP 2.4; the ldap.conf syntax has been extended to
> allow you to configure connection timeouts.
>

--
Eric Ritchie
Interactive Brokers LLC
203-618-5868

Re: client timeout

2008-06-10T12:14:12Z

Eric Ritchie wrote:

> I'm having an issue with client response when a server fails. This may
> be the same issue discussed in the thread "No timeout for nss ldap". I
> have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
> I configured the uri line with the 3 servers on each client:
> uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6
>
> If I go to the first ldap server and stop slapd, there is no noticeable
> effect on the clients. If I shut down the server, or disable the
> network, the clients will hang. I have experimented with bind_timelimit
> and bind_policy. Changing the bind_policy did not seem to have any
> effect. Setting the bind_timelimit to 1 and running nscd seem to help
> clients the most. Is there any way I can configure the clients to better
> handle an LDAP server shutdown?

Upgrade to OpenLDAP 2.4; the ldap.conf syntax has been extended to allow you
to configure connection timeouts.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

client timeout

2008-06-10T10:51:35Z

I'm having an issue with client response when a server fails. This may
be the same issue discussed in the thread "No timeout for nss ldap". I
have 3 servers running openldap 2.3.39. I have several Redhat 4 clients.
I configured the uri line with the 3 servers on each client:
uri ldap://1.2.3.4 ldap://1.2.3.5 ldap://1.2.3.6

If I go to the first ldap server and stop slapd, there is no noticeable
effect on the clients. If I shut down the server, or disable the
network, the clients will hang. I have experimented with bind_timelimit
and bind_policy. Changing the bind_policy did not seem to have any
effect. Setting the bind_timelimit to 1 and running nscd seem to help
clients the most. Is there any way I can configure the clients to better
handle an LDAP server shutdown?

Thanks

--
Eric Ritchie

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-08T09:06:11Z

Hello,
I used the opensolaris source browser to find some information about the
missing symbols:

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/mapfile-vers

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getauuser.c

nss_backend_t *
_nss_ldap_audit_user_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(auuser_ops,
sizeof (auuser_ops)/sizeof (auuser_ops[0]), _AUUSER,
auuser_attrs, _nss_ldap_au2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/gethostent6.c

nss_backend_t *
_nss_ldap_ipnodes_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(ipnodes_ops,
sizeof (ipnodes_ops)/sizeof (ipnodes_ops[0]), _HOSTS6,
ipnodes_attrs, _nss_ldap_hosts2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getnetmasks.c

nss_backend_t *
_nss_ldap_netmasks_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(netmasks_ops,
sizeof (netmasks_ops)/sizeof (netmasks_ops[0]), _NETMASKS,
netmasks_attrs, _nss_ldap_netmasks2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprinter.c

nss_backend_t *
_nss_ldap_printers_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(printers_ops,
sizeof (printers_ops)/sizeof (printers_ops[0]), _PRINTERS,
printer_attrs, _nss_ldap_printers2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprofattr.c

nss_backend_t *
_nss_ldap_prof_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(profattr_ops,
sizeof (profattr_ops)/sizeof (profattr_ops[0]), _PROFATTR,
prof_attrs, _nss_ldap_prof2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getprojent.c

nss_backend_t *
_nss_ldap_project_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{
return (_nss_ldap_constr(project_ops,
sizeof (project_ops) / sizeof (project_ops[0]),
_PROJECT, project_attrs, _nss_ldap_proj2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getkeyent.c

nss_backend_t *
_nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{

return ((nss_backend_t *)_nss_ldap_constr(keys_ops,
sizeof (keys_ops)/sizeof (keys_ops[0]),
_PUBLICKEY, keys_attrs, _nss_ldap_key2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/tsol_getrhent.c

nss_backend_t *
_nss_ldap_tnrhdb_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(tnrhdb_ops,
sizeof (tnrhdb_ops)/sizeof (tnrhdb_ops[0]), _TNRHDB,
tnrhdb_attrs, _nss_ldap_tnrhdb2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/tsol_gettpent.c

nss_backend_t *
_nss_ldap_tnrhtp_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(tnrhtp_ops,
sizeof (tnrhtp_ops)/sizeof (tnrhtp_ops[0]), _TNRHTP,
tnrhtp_attrs, _nss_ldap_tnrhtp2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getuserattr.c

nss_backend_t *
_nss_ldap_user_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5)
{
return ((nss_backend_t *)_nss_ldap_constr(userattr_ops,
sizeof (userattr_ops)/sizeof (userattr_ops[0]), _USERATTR,
user_attrs, _nss_ldap_user2str));
}

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/nsswitch/ldap/common/getexecattr.c

nss_backend_t *
_nss_ldap_exec_attr_constr(const char *dummy1,
const char *dummy2,
const char *dummy3,
const char *dummy4,
const char *dummy5,
const char *dummy6,
const char *dummy7)
{
#ifdef DEBUG
(void) fprintf(stdout,
"\n[getexecattr.c: _nss_ldap_exec_attr_constr]\n");
#endif
return ((nss_backend_t *)_nss_ldap_constr(execattr_ops,
sizeof (execattr_ops)/sizeof (execattr_ops[0]), _EXECATTR,
exec_attrs, _nss_ldap_exec2str));
}

after that I tried to implement the stubs, all returning ,,NULL'' however this
did not make nscd work. Here is my patch if someone want's to build up on top
of it.

Thomas

diff --git a/Makefile.am b/Makefile.am
index 4b05f13..dcb883e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,7 +21,7 @@ man_MANS = nss_ldap.5
nss_ldap_so_SOURCES = ldap-nss.c ldap-pwd.c ldap-grp.c ldap-netgrp.c ldap-rpc.c \
ldap-hosts.c ldap-network.c ldap-proto.c ldap-spwd.c \
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
- ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
+ ldap-bp.c stubs.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c

nss_ldap_so_LDFLAGS = @nss_ldap_so_LDFLAGS@
diff --git a/Makefile.in b/Makefile.in
index c5c098f..0c68864 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -68,7 +68,7 @@ am_nss_ldap_so_OBJECTS = ldap-nss.$(OBJEXT) ldap-pwd.$(OBJEXT) \
ldap-hosts.$(OBJEXT) ldap-network.$(OBJEXT) \
ldap-proto.$(OBJEXT) ldap-spwd.$(OBJEXT) ldap-alias.$(OBJEXT) \
ldap-service.$(OBJEXT) ldap-schema.$(OBJEXT) \
- ldap-ethers.$(OBJEXT) ldap-bp.$(OBJEXT) \
+ ldap-ethers.$(OBJEXT) ldap-bp.$(OBJEXT) stubs.$(OBJEXT) \
ldap-automount.$(OBJEXT) util.$(OBJEXT) ltf.$(OBJEXT) \
snprintf.$(OBJEXT) resolve.$(OBJEXT) dnsconfig.$(OBJEXT) \
irs-nss.$(OBJEXT) pagectrl.$(OBJEXT) ldap-sldap.$(OBJEXT) \
@@ -211,7 +211,7 @@ man_MANS = nss_ldap.5
nss_ldap_so_SOURCES = ldap-nss.c ldap-pwd.c ldap-grp.c ldap-netgrp.c ldap-rpc.c \
ldap-hosts.c ldap-network.c ldap-proto.c ldap-spwd.c \
ldap-alias.c ldap-service.c ldap-schema.c ldap-ethers.c \
- ldap-bp.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
+ ldap-bp.c stubs.c ldap-automount.c util.c ltf.c snprintf.c resolve.c \
dnsconfig.c irs-nss.c pagectrl.c ldap-sldap.c ldap-init-krb5-cache.c

NSS_LDAP_SOURCES = ldap-nss.c ldap-grp.c ldap-pwd.c ldap-netgrp.c ldap-schema.c \
@@ -308,6 +308,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-alias.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-automount.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-bp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stubs.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-ethers.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-grp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ldap-hosts.Po@am__quote@
diff --git a/exports.solaris b/exports.solaris
index 3ad3bd4..0dcd056 100644
--- a/exports.solaris
+++ b/exports.solaris
@@ -13,6 +13,16 @@ nss_ldap.so.1 {
_nss_ldap_services_constr;
_nss_ldap_shadow_constr;
_nss_ldap_netgroup_constr;
+ _nss_ldap_exec_attr_constr;
+ _nss_ldap_ipnodes_constr;
+ _nss_ldap_netmasks_constr;
+ _nss_ldap_printers_constr;
+ _nss_ldap_prof_attr_constr;
+ _nss_ldap_project_constr;
+ _nss_ldap_publickey_constr;
+ _nss_ldap_tnrhdb_constr;
+ _nss_ldap_tnrhtp_constr;
+ _nss_ldap_user_attr_constr;
# libsldap library interfaces
__ns_ldap_getMappedAttributes;
__ns_ldap_getMappedObjectClass;
diff --git a/ldap-sldap.c b/ldap-sldap.c
index 5f8f85f..0af8b67 100644
--- a/ldap-sldap.c
+++ b/ldap-sldap.c
@@ -247,7 +247,9 @@ __ns_ldap_getParam (const ParamIndexType type, void ***data,
break;
}

+#if 0
debug ("<== __ns_ldap_getParam (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -566,8 +568,10 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,
{
__ns_ldap_freeEntry (&entry);
cookie->ret = ret;
+#if 0
debug ("<== __ns_ldap_parseEntry (failed to init result: %s)",
NS_LDAP_ERR2STR (ret));
+#endif
return __ns_ldap_mapError (ret);
}
cookie->result->entry = entry;
@@ -597,7 +601,9 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,

cookie->ret = ret;

+#if 0
debug ("<== __ns_ldap_parseEntry (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return __ns_ldap_mapError (ret);
}
@@ -1150,8 +1156,10 @@ __ns_ldap_firstEntry (const char *service,

*pCookie = cookie;

+#if 0
debug ("<== __ns_ldap_firstEntry ret=%s cookie=%p", NS_LDAP_ERR2STR (ret),
cookie);
+#endif

return ret;
}
@@ -1185,7 +1193,9 @@ __ns_ldap_nextEntry (void *_cookie,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_nextEntry ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -1273,7 +1283,9 @@ __ns_ldap_list (const char *map,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_list ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
diff --git a/stubs.c b/stubs.c
new file mode 100644
index 0000000..f1b5127
--- /dev/null
+++ b/stubs.c
@@ -0,0 +1,136 @@
+#include "config.h"
+
+#ifdef HAVE_PORT_BEFORE_H
+#include <port_before.h>
+#endif
+
+#if defined(HAVE_THREAD_H) && !defined(_AIX)
+#include <thread.h>
+#elif defined(HAVE_PTHREAD_H)
+#include <pthread.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+#ifdef HAVE_LBER_H
+#include <lber.h>
+#endif
+#ifdef HAVE_LDAP_H
+#include <ldap.h>
+#endif
+
+#include "ldap-nss.h"
+#include "ldap-bp.h"
+#include "util.h"
+
+#ifdef HAVE_PORT_AFTER_H
+#include <port_after.h>
+#endif
+
+#ifdef HAVE_NSS_H
+static ent_context_t *bp_context = NULL;
+#endif
+
+nss_backend_t *
+_nss_ldap_audit_user_constr(const char *dummy1,
+const char *dummy2,
+const char *dummy3,
+const char *dummy4,
+const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_ipnodes_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_netmasks_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_printers_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_prof_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_project_constr(const char *dummy1, const char *dummy2,
+const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_publickey_constr(const char *dummy1, const char *dummy2,
+ const char *dummy3)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_tnrhdb_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_tnrhtp_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_user_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5)
+{
+ return NULL;
+}
+
+nss_backend_t *
+_nss_ldap_exec_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5,
+ const char *dummy6,
+ const char *dummy7)
+{
+ return NULL;
+}
+
diff --git a/stubs.h b/stubs.h
new file mode 100644
index 0000000..903dd56
--- /dev/null
+++ b/stubs.h
@@ -0,0 +1,65 @@
+#ifndef _LDAP_NSS_LDAP_STUBS_H
+#define _LDAP_NSS_LDAP_STUBS_H
+
+nss_backend_t *
+_nss_ldap_audit_user_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_ipnodes_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_netmasks_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_printers_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_prof_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_project_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+nss_backend_t *
+_nss_ldap_publickey_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3);
+
+
+nss_backend_t *
+_nss_ldap_tnrhdb_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_tnrhtp_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+nss_backend_t *
+_nss_ldap_user_attr_constr(const char *dummy1,
+ const char *dummy2,
+ const char *dummy3,
+ const char *dummy4,
+ const char *dummy5);
+
+#endif /* _LDAP_NSS_LDAP_STUBS_H */

Re: Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-08T08:00:13Z

Hello,
I managed today to build an omnipotent nss_ldap and pam_krb5_310 that works with
Solaris 10 U5 (still without nscd). I wonder why noone published howto to do
that before. (Deps: libnet, openssl, krb5, sasl2, openldap).

http://git.informatik.uni-erlangen.de/?p=blastwave;a=blob;f=specs/nss-ldap;h=35348abd4e3c2d1cc858326b1d229ac066c7b6a6;hb=a314b8093d40a66eec8d3af4afc03176ad2897a0

However, I'm still stuck with nscd. So I called nm on the original
nss_ldap.so.1 which Solaris provied on Update 5 with the latest
patchset.

-bash-3.00$ /usr/ccs/bin/nm nss_ldap.so.1.off | grep GLOB | grep -v UNDEF
[330] | 0| 0|OBJT |GLOB |0 |ABS |SUNWprivate_1.1
[324] | 114904| 0|OBJT |GLOB |0 |16 |_DYNAMIC
[350] | 114688| 0|OBJT |GLOB |0 |15 |_GLOBAL_OFFSET_TABLE_
[361] | 6252| 0|OBJT |GLOB |0 |9 |_PROCEDURE_LINKAGE_TABLE_
[368] | 118033| 0|OBJT |GLOB |0 |19 |_edata
[333] | 118033| 0|OBJT |GLOB |0 |20 |_end
[363] | 45422| 0|OBJT |GLOB |0 |14 |_etext
[385] | 8615| 59|FUNC |GLOB |0 |10 |_nss_ldap_audit_user_constr
[369] | 7918| 59|FUNC |GLOB |0 |10 |_nss_ldap_auth_attr_constr
[380] | 9324| 59|FUNC |GLOB |0 |10 |_nss_ldap_bootparams_constr
[373] | 10090| 59|FUNC |GLOB |0 |10 |_nss_ldap_ethers_constr
[359] | 13171| 59|FUNC |GLOB |0 |10 |_nss_ldap_exec_attr_constr
[384] | 14820| 59|FUNC |GLOB |0 |10 |_nss_ldap_group_constr
[331] | 17097| 59|FUNC |GLOB |0 |10 |_nss_ldap_hosts_constr
[326] | 18177| 59|FUNC |GLOB |0 |10 |_nss_ldap_ipnodes_constr
[376] | 24569| 54|FUNC |GLOB |0 |10 |_nss_ldap_netgroup_constr
[362] | 25031| 59|FUNC |GLOB |0 |10 |_nss_ldap_netmasks_constr
[374] | 20303| 59|FUNC |GLOB |0 |10 |_nss_ldap_networks_constr
[398] | 29054| 59|FUNC |GLOB |0 |10 |_nss_ldap_passwd_constr
[390] | 30181| 58|FUNC |GLOB |0 |10 |_nss_ldap_printers_constr
[321] | 25878| 59|FUNC |GLOB |0 |10 |_nss_ldap_prof_attr_constr
[358] | 26822| 59|FUNC |GLOB |0 |10 |_nss_ldap_project_constr
[356] | 27998| 59|FUNC |GLOB |0 |10 |_nss_ldap_protocols_constr
[395] | 19021| 59|FUNC |GLOB |0 |10 |_nss_ldap_publickey_constr
[341] | 31104| 59|FUNC |GLOB |0 |10 |_nss_ldap_rpc_constr
[367] | 33019| 59|FUNC |GLOB |0 |10 |_nss_ldap_services_constr
[387] | 33807| 59|FUNC |GLOB |0 |10 |_nss_ldap_shadow_constr
[349] | 35389| 59|FUNC |GLOB |0 |10 |_nss_ldap_tnrhdb_constr
[377] | 35924| 59|FUNC |GLOB |0 |10 |_nss_ldap_tnrhtp_constr
[364] | 34654| 59|FUNC |GLOB |0 |10 |_nss_ldap_user_attr_constr

After that I look at the exported symbols of nss_ldap (see also export.solaris
in the nss_ldap distribution):

-bash-3.00$ /usr/ccs/bin/nm nss_ldap.so.1 | grep GLOB | grep -v UNDEF
[16346] | 3863200| 0|OBJT |GLOB |0 |22 |_DYNAMIC
[16403] | 3862036| 0|OBJT |GLOB |0 |21 |_GLOBAL_OFFSET_TABLE_
[16364] | 430276| 0|OBJT |GLOB |0 |15 |_PROCEDURE_LINKAGE_TABLE_
[16428] | 519264| 121|FUNC |GLOB |0 |16 |__ns_ldap_endEntry
[16314] | 519776| 205|FUNC |GLOB |0 |16 |__ns_ldap_err2str
[16373] | 518864| 237|FUNC |GLOB |0 |16 |__ns_ldap_firstEntry
[16309] | 512432| 153|FUNC |GLOB |0 |16 |__ns_ldap_freeEntry
[16318] | 511872| 129|FUNC |GLOB |0 |16 |__ns_ldap_freeError
[16445] | 512592| 157|FUNC |GLOB |0 |16 |__ns_ldap_freeResult
[16282] | 511408| 85|FUNC |GLOB |0 |16 |__ns_ldap_getMappedAttributes
[16278] | 511504| 85|FUNC |GLOB |0 |16 |__ns_ldap_getMappedObjectClass
[16394] | 512160| 109|FUNC |GLOB |0 |16 |__ns_ldap_getParam
[16411] | 519392| 369|FUNC |GLOB |0 |16 |__ns_ldap_list
[16261] | 519104| 153|FUNC |GLOB |0 |16 |__ns_ldap_nextEntry
[16473] | 3978888| 0|OBJT |GLOB |0 |26 |_edata
[16315] | 4034680| 0|OBJT |GLOB |0 |27 |_end
[16376] | 3796500| 0|OBJT |GLOB |0 |20 |_etext
[16323] | 491712| 25|FUNC |GLOB |0 |16 |_nss_ldap_bootparams_constr
[16281] | 491168| 109|FUNC |GLOB |0 |16 |_nss_ldap_ethers_constr
[16361] | 470240| 109|FUNC |GLOB |0 |16 |_nss_ldap_group_constr
[16272] | 478544| 109|FUNC |GLOB |0 |16 |_nss_ldap_hosts_constr
[16420] | 475520| 141|FUNC |GLOB |0 |16 |_nss_ldap_netgroup_constr
[16412] | 480208| 109|FUNC |GLOB |0 |16 |_nss_ldap_networks_constr
[16363] | 463440| 109|FUNC |GLOB |0 |16 |_nss_ldap_passwd_constr
[16434] | 481328| 109|FUNC |GLOB |0 |16 |_nss_ldap_protocols_constr
[16444] | 476672| 109|FUNC |GLOB |0 |16 |_nss_ldap_rpc_constr
[16273] | 484624| 109|FUNC |GLOB |0 |16 |_nss_ldap_services_constr
[16407] | 482832| 109|FUNC |GLOB |0 |16 |_nss_ldap_shadow_constr
[16418] | 0| 0|OBJT |GLOB |0 |ABS |nss_ldap.so.1

What you can see here is, that a few symbols are gone and a few new are in. Has
someone already had a look at this?

(u5) [/var/tmp/sithglan-pkg/nss_ldap-260] gdiff -ruN padl sun
--- padl 2008-06-08 16:51:53.390905000 +0200
+++ sun 2008-06-08 16:47:01.055021000 +0200
@@ -1,22 +1,23 @@
-__ns_ldap_endEntry
-__ns_ldap_err2str
-__ns_ldap_firstEntry
-__ns_ldap_freeEntry
-__ns_ldap_freeError
-__ns_ldap_freeResult
-__ns_ldap_getMappedAttributes
-__ns_ldap_getMappedObjectClass
-__ns_ldap_getParam
-__ns_ldap_list
-__ns_ldap_nextEntry
+_nss_ldap_audit_user_constr
+_nss_ldap_auth_attr_constr
_nss_ldap_bootparams_constr
_nss_ldap_ethers_constr
+_nss_ldap_exec_attr_constr
_nss_ldap_group_constr
_nss_ldap_hosts_constr
+_nss_ldap_ipnodes_constr
_nss_ldap_netgroup_constr
+_nss_ldap_netmasks_constr
_nss_ldap_networks_constr
_nss_ldap_passwd_constr
+_nss_ldap_printers_constr
+_nss_ldap_prof_attr_constr
+_nss_ldap_project_constr
_nss_ldap_protocols_constr
+_nss_ldap_publickey_constr
_nss_ldap_rpc_constr
_nss_ldap_services_constr
_nss_ldap_shadow_constr
+_nss_ldap_tnrhdb_constr
+_nss_ldap_tnrhtp_constr
+_nss_ldap_user_attr_constr

So, I guess the following symbols are missing and this is why my nscd keeps
failing on me:

_nss_ldap_exec_attr_constr
_nss_ldap_ipnodes_constr
_nss_ldap_netmasks_constr
_nss_ldap_printers_constr
_nss_ldap_prof_attr_constr
_nss_ldap_project_constr
_nss_ldap_publickey_constr
_nss_ldap_tnrhdb_constr
_nss_ldap_tnrhtp_constr
_nss_ldap_user_attr_constr

I'm also wondering if I am the only one who is needs this patch to get
nss_ldap working _without_ debugging enabled under Solaris 10 using gcc,
forte11 and forte12:

http://git.informatik.uni-erlangen.de/?p=blastwave;a=blob;f=sources/nss_ldap.patch;h=c1371d22b1c691d3106c105a95bb8264f9368b55;hb=a314b8093d40a66eec8d3af4afc03176ad2897a0

Thomas

Solaris 10: As soon as nscd is running getpwnam on a ldap account fails

2008-06-07T13:43:02Z

Hello,
I have Solaris 10 Update 5 authenticating against a Windows 2003 R2 Active
Directory. I used the Blastwave Packages (openldap, openssl, libnet, krb5) and
Sun Studio 12 to compile nss_ldap. I also had to apply the attached patch
otherwise no information at all are retrieved from the Active Directory.

I'm able to retrieve information from the AD and log in via kerberos
(using a kerberos token and keyboard interactive using my _windows_
password). I have no crypt/md5 password set.

However I'm facing a strange problem. As soon as I start nscd, getpwnam
fails for me:

(mini) [~] ssh -l root 192.168.0.73
Password:
Last login: Sat Jun 7 22:08:29 2008 from u5
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
You have new mail.
# id testldap
uid=10000(testldap) gid=10000(gruppe)
# /etc/init.d/nscd start
# id testldap
id: invalid user name: "testldap"
# /etc/init.d/nscd stop
# id testldap
uid=10000(testldap) gid=10000(gruppe)

Thomas

NSS overlay for slapd

2008-06-03T12:19:37Z

For anyone interested, I've released an NSS overlay for slapd in OpenLDAP's
contrib/slapd-modules/nssov directory. This overlay uses the same protocol as
Arthur de Jong's nss-ldapd, but uses slapd to answer the requests directly
instead of going thru some other intermediate daemon. Since the overlay is
configured inside slapd, more of your LDAP configuration is centralized in a
single place, making overall administration simpler. It offers most of the
advantages of nss-ldapd, and also provides the possibility for local caching
of remotely mastered LDAP credentials (just use back-ldap+pcache), full
synchronization for disconnected operation (just use syncrepl), etc. etc.

Feedback welcome, here or on the openldap-technical mailing list. Currently it
is only in CVS HEAD; may be released in 2.4.11.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

How to configure netgroup with nss_ldap

2008-05-12T12:53:38Z

Hi,

I have a Suse setup which uses nss_ldap for passwd and group and uses
pam_krb5 for authentication, which works fine.

Now I am trying to setup netgroups, but I don't get it to work. The user mm
is defined in ldap and should only be able to login from a machine called
test, but the user can login with ssh from anywhere.

My nsswitch.conf is:

passwd: files ldap
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files
aliases: files
shadow: files ldap

and passwd is:

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:106:107:User for Avahi:/var/run/avahi-daemon:/bin/false
beagleindex:x:107:108:User for Beagle indexing:/var/cache/beagle:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dhcpd:x:102:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
fetchmail:x:103:2:mail retrieval daemon:/var/lib/fetchmail:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:103:MySQL database admin:/var/lib/mysql:/bin/false
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
quagga:x:104:105:Quagga routing daemon:/var/run/quagga:/usr/bin/false
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:108:109:Novell Customer Center
User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
markus:x:1000:100:Markus Moeller:/home/markus:/bin/bash
+@test::::::

#getent netgroup test
test (test, mm, )

#getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:106:107:User for Avahi:/var/run/avahi-daemon:/bin/false
beagleindex:x:107:108:User for Beagle indexing:/var/cache/beagle:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dhcpd:x:102:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
fetchmail:x:103:2:mail retrieval daemon:/var/lib/fetchmail:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:103:MySQL database admin:/var/lib/mysql:/bin/false
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:105:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
quagga:x:104:105:Quagga routing daemon:/var/run/quagga:/usr/bin/false
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:108:109:Novell Customer Center
User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
markus:x:1000:100:Markus Moeller:/home/markus:/bin/bash
+@test::0:0:::
mm:*:500:10000:Markus Moeller:/export/home/mm:/bin/ksh

Thank you
Markus

Re: Nested groups

2008-04-18T02:13:42Z

Luke Howard schrieb:

> nss_ldap supports nested groups simply by having a group member being a
> group itself. The group member must be a DN, so the uniqueMember or
> member attribute would typically used (not memberUid).
>
> This isn't actually specified in RFC 2307.
>
> You also need to have rfc2307bis support enabled in nss_ldap, by putting
> nss_schema rfc2307bis in ldap.conf.
>
> -- Luke
>

Hello,

in slapo.conf I have added this line
nss_map_attribute uniqueMember member

and restarted the openldap server

Then I imported this object

dn: cn=atest, ou=groups, dc=sb-brixen,dc=it
gidNumber: 987
member: cn=informatik, ou=groups, dc=sb-brixen,dc=it
userPassword:: e2NyeXB0fXg=
objectClass: top
objectClass: groupOfNames
objectClass: posixGroup
description: atest
cn: atest

I restarted ncsd to

The user amoroder ( me ) is member of the group informatik ( and other
groups )

now I tried with "id amoroder"
I get as result all the groups I am mmebr of, but not the group atest(987).

What is wrong here. Are my assumptions wrong that amoroder should also
become member of the group at because "informatik" is member of atest ?

Thanks
Andreas

Re: uri question

2008-04-17T16:28:52Z

You can specify multiple URIs with a space between them.

On 18/04/2008, at 7:21 AM, Adam Williams wrote:
> I have in my ldap.conf uri ldap://10.8.2.3/ for it to query my
> master ldap server for user shell accounts. I now also have a slave
> openldap server, 10.8.2.2, so how can I specify in /etc/ldap.conf to
> also query 10.8.2.2 in the event that 10.8.2.3 is down?
>
>

--
www.padl.com | www.fghr.net

uri question

2008-04-17T14:21:26Z

I have in my ldap.conf uri ldap://10.8.2.3/ for it to query my master
ldap server for user shell accounts. I now also have a slave openldap
server, 10.8.2.2, so how can I specify in /etc/ldap.conf to also query
10.8.2.2 in the event that 10.8.2.3 is down?

Re: Segmentation Faults for Ldap Accounts

2008-04-16T13:57:46Z

Hello All,

I wanted to close this thread.

It was recommended that I try the nscd. Got that activated and now all
is well.

Many thanks to all!

Andrew Morgan wrote:

> On Mon, 14 Apr 2008, Jim Summers wrote:
>
>> I agree with you it still is appearing to be something with TLS/ssl.
>> It is just confusing me that the operating system itself authenticates
>> and can resolve uidNumbers and group info fine.
>>
>> Let me know if you need the whole trace file and I can send that also.
>
> Sure, I'd like to look at both trace files in full.
>
> Andy

--
Jim Summers
Computer Science - University of Oklahoma

Re: binddn vs rootbinddn

2008-04-16T13:25:35Z

On Wed, 16 Apr 2008, Ashley Penney wrote:

> I am having a problem with nss_ldap, and I'm hoping the list can shed some
> light on this.
>
> I previously had rootbinddn set (rootbinddn
> cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking
> my attributes under uid=username, and for getting the gidNumber from my
> group (which is a little bit more complicated due to not using groups!).
>
> So, when logging in it would assign me the gidNumber for isMemberOf:
> cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group
> sftpuser' would return nothing. On advice from IRC, I set my binddn and put
> my password right into the ldap.conf file and now the same search works fine
> (finally).
>
> However, I don't want my password right in plain view. Is there a way I can
> adjust things in nss_ldap or openldap to make it so I can just set
> rootbinddn, and not binddn?

Another alternative is to set your binddn and password in ldap.conf, make
ldap.conf only readable by root, and run nscd. nscd will run as root and
can read the ldap.conf file, while processes will connect to nscd (via a
unix socket) for NSS lookups. We use this method here to hide our bind
credentials yet still require an authenticated LDAP connection for
lookups.

Andy

binddn vs rootbinddn

2008-04-16T11:49:23Z

I am having a problem with nss_ldap, and I'm hoping the list can shed some light on this.

I previously had rootbinddn set (rootbinddn cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking my attributes under uid=username, and for getting the gidNumber from my group (which is a little bit more complicated due to not using groups!).

So, when logging in it would assign me the gidNumber for isMemberOf: cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group sftpuser' would return nothing. On advice from IRC, I set my binddn and put my password right into the ldap.conf file and now the same search works fine (finally).

However, I don't want my password right in plain view. Is there a way I can adjust things in nss_ldap or openldap to make it so I can just set rootbinddn, and not binddn?

Thanks,

RE: LDAP Auth

2008-04-16T09:13:45Z

Hi,

Thanks for the reply but in the meantime I got a response from the OpenLDAP mailing list that nailed the problem for me. For future googlers facing the same problem the problem what that LDAP was being able to answer queries based on cn attribute but not based on uid attribute due to a indexing problem. Stopping OpenLDAP, running slapindex and then starting OpenLDAP again made authentication work again.

For some strange reason "getent passwd" still gets the data, so it must retrieve that information in some other way. I confess I have no intention to look up code to find out :)

A simple way to know if this problem is affecting you is doing a manual search on ldap. In my case searching for "uid=myuser" returned no information while searching for "uid=myuser*" returned the correct information which was what made the problem clear for the OpenLDAP guys.

Regards,
Nuno

-----Original Message-----
From: Andrew Morgan [mailto:morgan@...]
Sent: quarta-feira, 16 de Abril de 2008 17:07
To: Nuno Manuel Martins
Cc: nssldap@...
Subject: Re: [nssldap] LDAP Auth

On Wed, 16 Apr 2008, Nuno Manuel Martins wrote:

> Hello list,
>
> I am having a very strange behaviour from my test with OpenLDAP authentication. I tried to follow the HOWTOs online but I encountered an undocumented problem :)
>
> After configuring nssswitch.conf I tried what they asked and did a getent command which returns successfully:
> getent passwd | grep myuser
> myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash
>
> This means that the system can get the proper data from the LDAP directory. However, even before I try authentication I have this problem:
> su - myuser
> su: user myuser does not exist
>
> So anyone knows where su is getting its information from and why it is different from the information on getent?

It looks like you are starting out as root. Perhaps your ldap.conf file
is only readable by root?

Andy

Re: LDAP Auth

2008-04-16T09:07:25Z

On Wed, 16 Apr 2008, Nuno Manuel Martins wrote:

It looks like you are starting out as root. Perhaps your ldap.conf file
is only readable by root?

Andy

LDAP Auth

2008-04-16T02:55:37Z

Hello list,

I am having a very strange behaviour from my test with OpenLDAP authentication. I tried to follow the HOWTOs online but I encountered an undocumented problem :)

After configuring nssswitch.conf I tried what they asked and did a getent command which returns successfully:
getent passwd | grep myuser
myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash

This means that the system can get the proper data from the LDAP directory. However, even before I try authentication I have this problem:
su - myuser
su: user myuser does not exist

So anyone knows where su is getting its information from and why it is different from the information on getent?

Thanks,
Nuno

OpenLDAP and backlink support.

2008-04-15T11:22:50Z

I didn't get a reply to my last message, but I've done a lot of work on my problem since and I have a more specific question. Does OpenLDAP (any version of) support the backlink functionality? I am trying to use isMemberOf under my uid=apenney,ou=people to determine groups.

If I do "getent group sftpusers" from the command line it finds it, but if I log in it runs this:

SRCHbase="ou=Roles,dc=law,dc=harvard,dc=edu" scope=2deref=3filter="(|distinguishedName=cn=sftpuser:member,ou=roles,dc=law,dc=harvard,dc=edu)(distinguishedName=cn=sftpuser,ou=roles,dc=law,dc=harvard,dc=edu))"

This then fails, and someone who tested this for me said it seemed to work under a non-openldap server, but not on openldap. If anyone else has set up a similar feature (using roles under people to determine groups, rather than listing people under a group), let me know if it works for you.

As it stands I conclude openldap cannot support this kind of search.

Re: Nested groups

2008-04-15T01:34:00Z

nss_ldap supports nested groups simply by having a group member being
a group itself. The group member must be a DN, so the uniqueMember or
member attribute would typically used (not memberUid).

This isn't actually specified in RFC 2307.

You also need to have rfc2307bis support enabled in nss_ldap, by
putting nss_schema rfc2307bis in ldap.conf.

-- Luke

On 15/04/2008, at 4:44 PM, Andreas Moroder wrote:

> Hello,
>
> I already posted a question about groups in groups.
> Now I studied the code in grp.c, but I must admit I did non
> understand how it works. From the comments I understand that it
> should be possible to create nested groups but I don't understand
> how to do this in opendalp an what the result of nested groups is.
>
> What I am seraching for is a way to have groups that have groups as
> member and their members ( with memberUID ) should also be seen as
> member of the upper group in linux.
>
> Can anyone please help me or tell me where I can find good
> documentation ( please not the RFC )
>
> From what version on does nss_ldap support nested groups ?
>
> Thanks
> Andreas
>
>

--
www.padl.com | www.fghr.net

Nested groups

2008-04-14T23:44:41Z

Hello,

I already posted a question about groups in groups.
Now I studied the code in grp.c, but I must admit I did non understand
how it works. From the comments I understand that it should be possible
to create nested groups but I don't understand how to do this in
opendalp an what the result of nested groups is.

What I am seraching for is a way to have groups that have groups as
member and their members ( with memberUID ) should also be seen as
member of the upper group in linux.

Can anyone please help me or tell me where I can find good documentation
( please not the RFC )

From what version on does nss_ldap support nested groups ?

Thanks
Andreas

Re: Segmentation Faults for Ldap Accounts

2008-04-14T15:53:19Z

On Mon, 14 Apr 2008, Jim Summers wrote:

> I agree with you it still is appearing to be something with TLS/ssl. It is
> just confusing me that the operating system itself authenticates and can
> resolve uidNumbers and group info fine.
>
> Let me know if you need the whole trace file and I can send that also.

Sure, I'd like to look at both trace files in full.

Andy

Problem with whitespace striping

2008-04-14T10:39:31Z

Hi,

I have a problem with getting groups working via nss_ldap, and I'll try to explain below. Due to a pre-existing LDAP setup I have to work within some confines, we have ou=People and ou=Roles, and under Roles we have cn=SFTP User,ou=Roles.

In cn=SFTP User I added objectclass: posixGroup, and under my uid=apenney,ou=People I have isMemberOf: cn=SFTP User,ou=Roles,dc=law,dc=harvard,dc=edu.

I hope that made sense! I then set up ldap.conf to have backlinks, rfcXXXbis (I can never remember the number), mapped nss_base_group to ou=Roles and remapped MemberOf to isMemberOf.

When I log in I can see it doing all sorts of lookups, but I notice it looks up cn=sftpuser, all lower case and without spaces. If I add quotes in my isMemberOf under uid=apenney, it looks up cn='sftpuser', but still deletes the space. I think this is causing me endless problems. Is there a way to make it not stripe whitespace?

Re: Change ldap return Value

2008-04-14T09:29:51Z

Hey

I just found the nss_override_attribute_value what does exactly what I
want. Sorry to bother you.

Cheers Didi

Geerd-Dietger Hoffmann wrote:

> Hey
>
> I am currently in the progress of converting all our Users and machines
> to an Ldap based approach. This works fine for nearly all the machines.
> But for some special cases I can't find a solution.
>
> One Example :
> On the CVS servers we want all the users to have a 'special' shell.
> While in the Ldap directory every user can choose what shell he wants on
> the CVS server the shell should be changed to /bin/sshell (Cern
> internal) for ALL users where the data is in the ldap directory.
>
> So the user entry should hold :
> ldapsearch -x -D "linuxldap" -w "xxxx" "(cn=me)" | grep login
> loginShell: /bin/bash
>
> but if you are on the CVS server
> finger me | grep Shell
> Shell: /bin/sshell
>
> Has someone got an idea how this could be done?
>
> Thank you very much in advance.
>
> Cheers Didi
>
>
> ----
> www.cern.ch/ribalba / www.ribalba.de
> Email / Jabber: Geerd-Dietger.Hoffmann@... / ribalba@...
> Phone (Work) : +41 22 7679376
> Skype : ribalba
> Address : CERN / IT-FIO-FS / GENEVE 23/ SCHWEIZ

--
Cheers Didi

----
www.cern.ch/ribalba / www.ribalba.de
Email / Jabber: Geerd-Dietger.Hoffmann@... / ribalba@...
Phone (Work) : +41 22 7679376
Skype : ribalba
Address : CERN / IT-FIO-FS / GENEVE 23/ SCHWEIZ

Change ldap return Value

2008-04-14T08:58:16Z

Hey

I am currently in the progress of converting all our Users and machines
to an Ldap based approach. This works fine for nearly all the machines.
But for some special cases I can't find a solution.

One Example :
On the CVS servers we want all the users to have a 'special' shell.
While in the Ldap directory every user can choose what shell he wants on
the CVS server the shell should be changed to /bin/sshell (Cern
internal) for ALL users where the data is in the ldap directory.

So the user entry should hold :
ldapsearch -x -D "linuxldap" -w "xxxx" "(cn=me)" | grep login
loginShell: /bin/bash

but if you are on the CVS server
finger me | grep Shell
Shell: /bin/sshell

Has someone got an idea how this could be done?

Thank you very much in advance.

Cheers Didi

----
www.cern.ch/ribalba / www.ribalba.de
Email / Jabber: Geerd-Dietger.Hoffmann@... / ribalba@...
Phone (Work) : +41 22 7679376
Skype : ribalba
Address : CERN / IT-FIO-FS / GENEVE 23/ SCHWEIZ

Re: Segmentation Faults for Ldap Accounts

2008-04-14T08:01:37Z

Andrew Morgan wrote:

> On Fri, 11 Apr 2008, Jim Summers wrote:
>
>>> What about turning off SSL in nss-ldap temporarily? That could
>>> narrow the problem down. Also, you could run strace on pjm and see
>>> which system call actually segfaults it.
>>
>> I turned off ssl and the pjm program worked. Turned it back on and
>> the pjm segfaults.
>>
>> Here is my ldap.conf, which is also the same as the one on the FC5 and
>> FC6 clients:
>>
>> uri ldaps://server1 ldaps://server2
>> base dc=ou,dc=edu
>> binddn cn=bind0,ou=profile,dc=ou,dc=edu
>> bindpw ++++++++
>> port 636
>> #port 389
>> #idle_timelimit 3600
>> ssl on
>> tls_checkpeer no
>> pam_password crypt
>> pam_lookup_policy yes
>> #debug 1
>>
>> I am not sure what to look for in my ssl/tls setup. The whole thing
>> is running off of self-signed certificates.
>
> Can you run your pjm program under strace? Something like:
>
> strace -ff -o /tmp/trace pjm <args>
>
> I can help look at the trace files, if you don't know what to look for.

Here is a snip from an strace of the fedora 8 machine where pjm fails:
===
fcntl64(4, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(4, F_SETFL, O_RDWR) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x111000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2528
read(5, "", 4096) = 0
close(5) = 0
munmap(0x111000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
===

and then from the FC6 where pjm works:
===
fcntl64(4, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl64(4, F_SETFL, O_RDWR) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x251000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2528
read(5, "", 4096) = 0
close(5) = 0
munmap(0x251000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
brk(0x9cd2000) = 0x9cd2000
time(NULL) = 1207971400
write(2, "TLS trace: SSL_connect:before/co"..., 53) = 53
time(NULL) = 1207971400
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5
fstat64(5, {st_mode=S_IFCHR|0444, st_rdev=makedev(1, 9), ...}) = 0
===

I agree with you it still is appearing to be something with TLS/ssl. It is
just confusing me that the operating system itself authenticates and can
resolve uidNumbers and group info fine.

Let me know if you need the whole trace file and I can send that also.

Ideas / Suggestions?

Thanks again

>
> Andy

--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------

Re: Segmentation Faults for Ldap Accounts

2008-04-11T15:17:43Z

On Fri, 11 Apr 2008, Jim Summers wrote:

>> What about turning off SSL in nss-ldap temporarily? That could narrow the
>> problem down. Also, you could run strace on pjm and see which system call
>> actually segfaults it.
>
> I turned off ssl and the pjm program worked. Turned it back on and the pjm
> segfaults.
>
> Here is my ldap.conf, which is also the same as the one on the FC5 and FC6
> clients:
>
> uri ldaps://server1 ldaps://server2
> base dc=ou,dc=edu
> binddn cn=bind0,ou=profile,dc=ou,dc=edu
> bindpw ++++++++
> port 636
> #port 389
> #idle_timelimit 3600
> ssl on
> tls_checkpeer no
> pam_password crypt
> pam_lookup_policy yes
> #debug 1
>
> I am not sure what to look for in my ssl/tls setup. The whole thing is
> running off of self-signed certificates.

Can you run your pjm program under strace? Something like:

strace -ff -o /tmp/trace pjm <args>

I can help look at the trace files, if you don't know what to look for.

Andy

Re: Segmentation Faults for Ldap Accounts

2008-04-11T13:48:20Z

Andrew Morgan wrote:

> On Fri, 11 Apr 2008, Jim Summers wrote:
>
>> Here is the output from ldd on the pjm ( brightq ) binary:
>>
>> ldd pjm
>> linux-gate.so.1 => (0x00110000)
>> libutil.so.1 => /lib/libutil.so.1 (0x004be000)
>> libnsl.so.1 => /lib/libnsl.so.1 (0x00a92000)
>> libresolv.so.2 => /lib/libresolv.so.2 (0x00320000)
>> libdl.so.2 => /lib/libdl.so.2 (0x00c90000)
>> libXi.so.6 => /usr/lib/libXi.so.6 (0x00235000)
>> libXext.so.6 => /usr/lib/libXext.so.6 (0x00136000)
>> libX11.so.6 => /usr/lib/libX11.so.6 (0x00cd8000)
>> libm.so.6 => /lib/libm.so.6 (0x00c65000)
>> libc.so.6 => /lib/libc.so.6 (0x00b0a000)
>> /lib/ld-linux.so.2 (0x00aeb000)
>> libXau.so.6 => /usr/lib/libXau.so.6 (0x00cd3000)
>> libxcb-xlib.so.0 => /usr/lib/libxcb-xlib.so.0 (0x00ccf000)
>> libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00dd6000)
>> libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00cc7000)
>>
>> and from nss_ldap.so:
>>
>> ldd libnss_ldap.so
>> linux-gate.so.1 => (0x00110000)
>> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00167000)
>> libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00180000)
>> libssl.so.6 => /lib/libssl.so.6 (0x001ae000)
>> libdl.so.2 => /lib/libdl.so.2 (0x001f3000)
>> libnsl.so.1 => /lib/libnsl.so.1 (0x001f8000)
>> libresolv.so.2 => /lib/libresolv.so.2 (0x00211000)
>> libc.so.6 => /lib/libc.so.6 (0x00225000)
>> libcrypt.so.1 => /lib/libcrypt.so.1 (0x0037e000)
>> libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x003b0000)
>> libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00443000)
>> libcom_err.so.2 => /lib/libcom_err.so.2 (0x00469000)
>> libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0046c000)
>> libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00475000)
>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x00478000)
>> libz.so.1 => /lib/libz.so.1 (0x005ab000)
>> /lib/ld-linux.so.2 (0x00aeb000)
>> libselinux.so.1 => /lib/libselinux.so.1 (0x005be000)
>>
>> Could it be that since pjm does not have any of the crypt, sasl, ssl
>> stuff compiled in, that it is getting something that is encrypted and
>> can not handle it correctly? If so, how would this be remedied?
>
> Those look fine to me, unless pjm is dynamicly loading an SSL library.
>
>> I think I am going to look and see if there are compat packages that
>> may be missing.
>>
>> Ideas / Suggestions?
>
> What about turning off SSL in nss-ldap temporarily? That could narrow
> the problem down. Also, you could run strace on pjm and see which
> system call actually segfaults it.

I turned off ssl and the pjm program worked. Turned it back on and the
pjm segfaults.

Here is my ldap.conf, which is also the same as the one on the FC5 and
FC6 clients:

uri ldaps://server1 ldaps://server2
base dc=ou,dc=edu
binddn cn=bind0,ou=profile,dc=ou,dc=edu
bindpw ++++++++
port 636
#port 389
#idle_timelimit 3600
ssl on
tls_checkpeer no
pam_password crypt
pam_lookup_policy yes
#debug 1

I am not sure what to look for in my ssl/tls setup. The whole thing is
running off of self-signed certificates.

Thanks again!

>
> Andy

--
Jim Summers
Computer Science - University of Oklahoma