On Thursday 22 May 2008 11:47:28 am Jeffrey D Anderson wrote:
> On Thursday 22 May 2008 8:20:22 am you wrote:
> > On Thu, May 22, 2008 at 03:28:11PM +0100, Faye Gibbins wrote:
> > > Hi,
> > >
> > > Has anything relating to how ldap uses ssl changed in the last couple
> > > of days?
> > >
> > > In the last day or so our ldap servers (that are queried though SSL
> > > and the nss_ldap libs) have stopped working properly.
> > >
> > > They do part of the job then die with broken pipe signals (as seen by
> > > running strace on for example "su").
> > >
> > > This has shown up on both 32 and 64 bit SL5.0 boxes.
> >
> > We're getting this as well since the update this mornig to
> > nss_ldap-253-12.el5.x86_64.
> >
> > It looks like libnss_ldap.so.2 is now linked again SElinux. Is that part
> > of the problem?
> >
> > -jkl
>
> I am getting this on SL5.0 and SL5.1.
>
> We use LDAP with TLS for authentication for dozens of workstations, and it
> is totally broken at the moment.
>
> I've done a 'yum clean && yum update' to see if Troy's fixed packages from
> this morning rectify the situation, but still nothing.
>
> The symptoms are that users cannot login. They type their password at KDM
> or at a text VT, the password apparently is authenticated, but the screen
> flashes and they are returned to the login screen.
> Also, I cannot 'su' to any users. If I try, as root for example,
> 'su SOMEUSER' I am just brought back to the root bash prompt. 'whoami'
> verifies that I am still root, not su'd to SOMEUSER.
>
> finger and id both successfully lookup the user information, but for some
> reason su, login, KDM, do not successfully log people in. I've verified
> this on a number of different boxes. I've also rebooted the LDAP server
> without solving the problem.
Bad for to reply to myself, but I wanted to add that reverting to
nss_ldap-253-5.el5.i386.rpm cleared up the problem for me, so there is
definitely some kind of critical bug in the updated nss_ldap.
--
--------------------------------------------------------------
Jeffrey Anderson | [log in to unmask]
Lawrence Berkeley National Laboratory |
Office: 50A-5104E | Mailstop 50A-5101
Phone: 510 486-4208 | Fax: 510 486-6808
|