Zhi-Wei Lu wrote:
> 2.  Turn on ssl and add the nss_initgrous_ignoreusers line, the message
> bus was fine and system rebooted, but ldap query is still not working
> via ldaps, therefore, the latest nss_dap_253-12 breaks something.

Instead of "ldaps" (as in LDAP over SSL), we use starttls (plaintext
connection that is converted to SSL after a while)  -- our LDAP servers
are configured in such a way that they won't talk to you unless you
access them over a secure channel. I've tried changing the settings to
ldaps (and indeed the machines talked to slapd at port 636), but saw no
difference.

Anyway, dump of configuration that *works* for me with recent nss_ldap
on 32bit SL5 box is at http://dev.gentoo.org/~jkt/ldap/sl5/ , perhaps
you can spot a difference against your setup.

These are the packages I use (and whose version might matter here):

openldap-clients-2.3.27-8.el5_1.3.i386
openssl-0.9.8b-8.3.el5_0.2.i686
compat-openldap-2.3.27_2.2.29-8.el5_1.3.i386
nss_db-2.2-35.3.i386
openssh-4.3p2-42.sl5.i386
nss-3.11.7-1.3.el5.i386
openldap-2.3.27-8.el5_1.3.i386
pam-0.99.6.2-3.26.el5.i386
openssh-server-4.3p2-42.sl5.i386
nss-tools-3.11.7-1.3.el5.i386
nss_ldap-253-12.el5.i386

Cheers,
-jkt