Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 152003

Summary: sys-auth/nss_ldap-249: no login but getent works
Product: Gentoo Linux Reporter: Michael Helmling <supermihi>
Component: New packagesAssignee: Gentoo LDAP project <ldap-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: cazzeml
Priority: High    
Version: 2006.1   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Helmling 2006-10-19 13:22:49 UTC 
With nss_ldap-249, I set up a client to authenticate users/groups via LDAP. With getent and id I made sure that the settings were correct (also, I had a bunch of ubuntu clients working with the same config files), but for some reason login wasn't possible - see http://forums.gentoo.org/viewtopic-p-3658563.html#3658563

First I thought I was missing something, but since emerging the ~masked version of nss_ldap (253) solved the problem I assume it's a bug.

Confirmed both on amd64 and x86. I don't know why this affects only me, but we should mark a newer release stable ASAP.
Comment 1 Michael Helmling 2006-10-19 13:23:33 UTC 
I emerged some other versions of nss_ldap, and the problem only occurs with 249. The next oldest in portage, 239-r1, works as well as 250.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-10-20 01:38:16 UTC 
you failed to post your configurations.
I suspect you were using SSL, which is known to be weirdly broken on 249.
253* will be stable soon.
Comment 3 Michael Helmling 2006-10-20 05:17:47 UTC 
/etc/ldap.conf:
base dc=example,dc=com
uri ldap://ldap.example.com/
ldap_version 3
bind_policy soft
pam_login_attribute uid

pam_password md5

nss_base_passwd ou=Users,dc=example,dc=com?one
nss_base_passwd ou=Computers,dc=example,dc=com?one
nss_base_shadow ou=Users,dc=example,dc=com?one
nss_base_group  ou=Groups,dc=example,dc=com?one

ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/ssl/ca.pem

/etc/conf.d/slapd is empty, so I don't have ssl enabled.
Also
netstat -a | grep ldaps
returns nothing.
Comment 4 Markus Ullmann (RETIRED) gentoo-dev 2006-10-25 00:44:25 UTC 
Have tried already w/ commenting out these lines?
#ssl start_tls
#tls_checkpeer yes
#tls_cacertfile /etc/openldap/ssl/ca.pem
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-12-15 19:29:38 UTC 
no response from user, assuming that nss_ldap-253 works.
Comment 6 Michael Helmling 2006-12-17 10:13:31 UTC 
Sorry for my silence - yes, 253 works, and 249 still doesn't (I installed to new gentoo servers this week and experienced the same problems again). Why is 249 still the latest stable version?
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-02-06 03:15:45 UTC 
253 stable on almost all arches now.