Subject: | |
From: | |
Reply To: | |
Date: | Sat, 24 Jan 2009 14:24:18 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
Hello Jon,
the simplest solution I found to solve the problem was
to recompile and install nss_ldap-253 from (PADL) scratch
( configure; make; make install ).
With following parameters in ldap.conf it works perfectly:
base dc=organisation,dc=com
uri ldaps://ldap_server.organisation.com
sizelimit 0
tls_cacert /usr/etc/openldap/CA/cacert.pem
tls_checkpeer yes
bind_policy soft
nss_connect_policy oneshot
No matter if the server is up and running or it is down -
root login is always possible without any wait time /
user login depends on local/LDAP account type.
That means - there are no (big) bugs in nss_ldap.
Regards, Olf
> On Fri, 23 Jan 2009, Olf Epler wrote:
>
> > Hello Jon,
> >
> > if I start my ldap server in debug mode I can see
> > that it answers on port 389 and also - the other case -
> > on port 636.
> > There is nothing wrong in the debug output from the server.
> > On the other hand I found that a downgrade to nss_ldap-253-5
> > should solve the problem. This is also not true or only a
> > part of the game.
> > In the case I try to login on console (ldaps configured)
> > I get as root:
> > pam_unix(login:session): session opened for user root
> > ROOT LOGIN ON tty1
> > pam_unix(login:session): session closed for user root
> >
> > and for other users:
> > pam_console(login:session): handler '/sbin/pam_console_apply'
> > caught a signal 13
> >
> > This is already posted in many sites.
> >
> > So I believe this is not a configuration problem, this is a
> > bug in the nss/pam version that is used in SL-5.2.
>
> Certainly almost all the problems which were reported look like they were
> caused/triggered by the newer nss_ldap update, so you might want to check
> the list archives in case any of the earlier messages show up config
> changes that might help fix the problem. At least a couple of people
> reported configs which (with lapds/starttls) worked for them with the
> newer nss_ldap version.
>
> The other errors sound a _bit_ like the problems with uid/gid lookups for
> processes (like udev/hald) which are started before lapd is available (and
> needed something adding to an exclusion list). Again there were several
> earlier messages mentioning things to check/add.
>
> > My next step is a full nss/pam downgrade to the SL-5.1 versions.
> >
> > Regards, Olf
>
> -- Jon
>
----------------------------------------------------------
Olf Epler phone: +49 30 2093-7804
Humboldt University Berlin fax: +49 30 2093-7642
Department of Physics
Newtonstr. 15
12489 Berlin email: [log in to unmask]
----------------------------------------------------------
|
|
|