LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: ssl ldap on SL-5.2 x86_64
From:	Olf Epler <[log in to unmask]>
Reply To:	Olf Epler <[log in to unmask]>
Date:	Sat, 24 Jan 2009 14:24:18 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (75 lines)

  Hello Jon,

the simplest solution I found to solve the problem was
to recompile and install nss_ldap-253 from (PADL) scratch
( configure; make; make install ).
With following parameters in ldap.conf it works perfectly:
base            dc=organisation,dc=com
uri             ldaps://ldap_server.organisation.com
sizelimit       0
tls_cacert      /usr/etc/openldap/CA/cacert.pem
tls_checkpeer   yes
bind_policy     soft
nss_connect_policy oneshot
No matter if the server is up and running or it is down -
root login is always possible without any wait time /
user login depends on local/LDAP account type.

That means - there are no (big) bugs in nss_ldap.

  Regards, Olf


> On Fri, 23 Jan 2009, Olf Epler wrote:
> 
> >   Hello Jon,
> >
> > if I start my ldap server in debug mode I can see
> > that it answers on port 389 and also - the other case -
> > on port 636.
> > There is nothing wrong in the debug output from the server.
> > On the other hand I found that a downgrade to nss_ldap-253-5
> > should solve the problem. This is also not true or only a
> > part of the game.
> > In the case I try to login on console (ldaps configured)
> > I get as root:
> > pam_unix(login:session): session opened for user root
> > ROOT LOGIN ON tty1
> > pam_unix(login:session): session closed for user root
> >
> > and for other users:
> > pam_console(login:session): handler '/sbin/pam_console_apply'
> > caught a signal 13
> >
> > This is already posted in many sites.
> >
> > So I believe this is not a configuration problem, this is a
> > bug in the nss/pam version that is used in SL-5.2.
> 
> Certainly almost all the problems which were reported look like they were 
> caused/triggered by the newer nss_ldap update, so you might want to check 
> the list archives in case any of the earlier messages show up config 
> changes that might help fix the problem.  At least a couple of people 
> reported configs which (with lapds/starttls) worked for them with the 
> newer nss_ldap version.
> 
> The other errors sound a _bit_ like the problems with uid/gid lookups for 
> processes (like udev/hald) which are started before lapd is available (and 
> needed something adding to an exclusion list).  Again there were several 
> earlier messages mentioning things to check/add.
> 
> > My next step is a full nss/pam downgrade to the SL-5.1 versions.
> >
> > Regards, Olf
> 
>   -- Jon
> 

----------------------------------------------------------
Olf Epler                          phone: +49 30 2093-7804
Humboldt University Berlin           fax: +49 30 2093-7642
Department of Physics
Newtonstr. 15
12489 Berlin              email: [log in to unmask]
----------------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV