Hi,
I was triaging this issue and I ran into another mysterious area, it doesn't
look like the number (8) of principals/RDN is the problem and infact the
length/size of the RDN's could be the issue. Please find the /etc/ldap.conf
files attached renamed according to the AD/openldap server being configured.
a. In the ad_ldap_conf_size the number of characters is around 3137 for the
nss_base_<map>. On line 122, if i just make the 80 as 8 in the end of the
string, the command "getent passwd" is working and it lists all the users
registered in the ldap.conf file but otherwise it doesn't show any user.
b. In the open_ldap_conf_size_issue the number of characters is around 3103
for the nss_base_<map>. In the end of the file if i just comment the last
two lines, the "getent passwd" is working and it lists all the users
registered in the ldap.conf file but otherwise it doesn't show any user.
from these findings this looks more like some buffer issue, can you please
help me with the following.
1. Any particular method/file that I should be looking for to check this
buffer size may be even in the nss_ldap library or so
2. If there is a buffer size issue of say around 3137 characters (bytes for
that), what would be the best value to increase it.
appreciate any help
Thanks
Ramakanth
On 30 March 2011 01:17, Srivatsav M <[email protected]> wrote:
> Please find below the answers to your questions:
>
> 1. > >> We are using OpenLDAP for authenticating users registered in a LDAP
>
> > >> server (Open LDAP, Active Directory).
>
> Which one? Or both?
>
> Our dev environment has openLDAP and AD servers and we have tested this issue
> against each of them individually and are able to reproduce it against both
> the types of LDAP servers
>
> 2. Users shouldn't be "registered in the /etc/ldap.conf file".
> >> Can you please help me understand why I shouldn't be using this in the
> ldap.conf file?
>
> 3. Please supply a full copy of your /etc/ldap.conf, or at least a
> representative one, and provide the example output of 'getent passwd
> username' and 'groups
>
> >> attached along with this mail
>
> username' for the user who doesn't authenticate. You may also want to supply
> the relevant PAM configuration files.
>
> $ getent passwd
> root <xxxxxxxxx>
> test_user:somepwd:1002:1002:Test User:/home/testuser:/bin/bash
> test_people1:*:10004:10004:Test People1:/home/test_people1:/bin/bash
>
> >> All external users are not able to login after adding the 8th principal/RDN
>
> /etc/pam.d/common-auth
>
> auth required pam_env.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_unix2.so
>
> /etc/pam.d/common-account
>
> account required pam_unix2.so
> account sufficient pam_localuser.so
> account required pam_ldap.so use_first_pass
>
> /etc/pam.d/common-session
>
>
> session required pam_limits.so
> session required pam_unix2.so
> session required pam_mkhomedir.so skel=/etc/skel/
> session optional pam_ldap.so
> session optional pam_umask.so
>
> Also, please provide details of your LDAP client (distribution release, what
> versions of nss_ldap and pam_ldap you are running).
>
> >> openldap2-client-2.3.32-0.25
> >> nss_ldap-259-4.3
>
> 4. Do we know what the actual problem is? Do we know it would be solved by
> nss-ldapd?
>
> There might be a simple misunderstanding here, or a simple configuration
> problem, and switching software might not solve that.
>
> Additionally, the distribution in question may have a different preferred
> LDAP client.
>
> >> based on the above information, would it be possible for pointing any
> >> config. issues? , please do let me know if you need any further
> >> information.
>
> thanks
>
> Ramakanth
>
>
> On 25 March 2011 20:23, Marco Pizzoli <[email protected]> wrote:
>
>> Hi,
>> I could be corrected if I'm wrong, but this problem is not related to
>> OpenLDAP. It's a nss_ldap problem.
>> nss_ldap is a client library that's used by linux vendors to achieves
>> seamless integration of users against *a* LDAP server.
>>
>> I had a similar problem with a complex configuration and bypassed (not
>> solved) the problem by modifying my client configuration.
>>
>> I reduced the number of ldap server configured to be accessed: from 4 to
>> 3.
>> I reduced the number of users defined in
>> *nss_initgroups_ignoreusers*directive: i had about 40 listed in it...
>>
>> Etc...
>>
>> Make some tries and tell me if you can solve it.
>>
>> Marco
>>
>>
>>
>> On Thu, Mar 24, 2011 at 9:25 PM, Srivatsav M <[email protected]
>> > wrote:
>>
>>> Hi,
>>>
>>> We are using OpenLDAP for authenticating users registered in a LDAP
>>> server (Open LDAP, Active Directory). After adding 8 principals
>>> (/etc/ldap.conf), none of the users registered in the /etc/ldap.conf file
>>> are able to login.
>>>
>>> nss_base_passwd
>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
>>> nss_base_shadow
>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
>>> nss_base_group
>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
>>>
>>>
>>> Can you please share the reason for this 7 limitation in the open ldap
>>> library. or how I can fix this issue. I am looking i for the header file in
>>> the source files whhich has this constant or limitation defined.
>>>
>>> Tried googling, but it appears that no one has encountered this issue.
>>> Some customers are running into this issue and it has become a severity 1
>>> issue to fix.
>>>
>>> Thanks
>>> Ramakanth
>>>
>>
>>
>>
>> --
>> _________________________________________
>> Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
>> Jim Morrison
>>
>
>
#
# /etc/ldap.conf
#
#configtype AD
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
# See ldap.conf(5) for details
#
# Contents of this file are auto generated
#
# Your LDAP server. Must be resolvable without using LDAP. {DUMMY IP ADDRESS,
acutal one is pingable}
host 192.168.1.1
# The distinguished name of the search tree.
base dc=INTRANET,dc=prodname,dc=COM
# Your LDAP server name. Must be resolved using /etc/hosts
#uri LDAP_URI_CONFIG_VALUE
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Don't try forever if the LDAP server is not reacheable
bind_policy soft
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=INTRANET,dc=prodname,dc=COM
# The credentials to bind with.
# Optional: default is no credential.
bindpw somepassword
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=com
# The port.
# Optional: default is 389.
port 389
# Search the root DSE for the password policy (works
# with Netscape Directory Server). And make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema rfc2307bis
# Enable search time limit to 15 seconds
timelimit 15
# Enable bind timelimit to 15 seconds
bind_timelimit 15
#AD specific attribute set
scope sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid samaccountname
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute loginShell loginShell
nss_map_attribute gecos uidNumber
# nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory unixhomedirectory
nss_map_objectclass posixGroup group
nss_map_attribute cn samaccountname
pam_login_attribute samaccountname
# pam_member_attribute msSFU30PosixMember
nss_override_attribute_value loginShell /bin/bash
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# nss_map_attribute uniqueMember msSFU30PosixMember
pam_filter objectclass=user
tls_checkpeer no
nss_base_passwd
CN=LDN_user1,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user1,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user1,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user2,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user2,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user2,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user10,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user10,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user10,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user12,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user12,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user12,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user13,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user13,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user13,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user14,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM?sub?!(userAccountControl:1.2.840.113556.1.4.803:=800012)
nss_base_shadow
CN=LDN_user14,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM?sub?!(userAccountControl:1.2.840.113556.1.4.803:=800012)
nss_base_group
CN=LDN_user14,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM?sub?!(userAccountControl:1.2.840.113556.1.4.803:=80
nss_base_passwd
CN=LDN_user15,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user15,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user15,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user16,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user16,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user16,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user17,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user17,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user17,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user18,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user18,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user18,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_passwd
CN=LDN_user19,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_shadow
CN=LDN_user19,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
nss_base_group
CN=LDN_user19,OU=Users,OU=LDN,OU=EMEA,OU=GLB,DC=INTRANET,DC=VPLEX,DC=COM
#
# /etc/ldap.conf
#
#configtype OpenLDAP
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
# See ldap.conf(5) for details
#
# Contents of this file are auto generated
#
# Your LDAP server. Must be resolvable without using LDAP.{DUMMY IP ADDRESS,
acutal one is pingable}
host 192.168.1.1
# The distinguished name of the search tree.
base dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
# Your LDAP server name. Must be resolved using /etc/hosts
uri ldaps://somldapserver
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Don't try forever if the LDAP server is not reacheable
bind_policy soft
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw somepaswd
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=com
# The port.
# Optional: default is 389.
port 636
# Search the root DSE for the password policy (works
# with Netscape Directory Server). And make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema rfc2307bis
# Enable search time limit to 15 seconds
timelimit 15
# Enable bind timelimit to 15 seconds
bind_timelimit 15
#AD specific attribute set
# scope sub
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute loginShell msSFU30LoginShell
#nss_map_attribute gecos name
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn cn
#pam_login_attribute msSFU30Name
#pam_member_attribute msSFU30PosixMember
nss_override_attribute_value loginShell /bin/bash
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl on
nss_map_attribute uniqueMember member
pam_filter objectclass=posixAccount
tls_checkpeer no
nss_base_passwd uid=test_sombod,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_people1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_people1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_people1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_sombod2,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod2,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod2,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_sombod3,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod3,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod3,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_sombod4,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod4,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod4,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_sombod5,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod5,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod5,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_sombod6,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_sombod6,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_sombod6,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd ou=ldapconfig,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow ou=ldapconfig,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group ou=ldapconfig,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd
uid=testUser4,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow
uid=testUser4,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group
uid=testUser4,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd
uid=testUser5,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow
uid=testUser5,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group
uid=testUser5,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_user,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_user,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_user,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_people,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_people,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_people,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=test_people2,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow uid=test_people2,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group uid=test_people2,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd
uid=fadbox:IT,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_shadow
uid=fadbox:IT,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_group
uid=fadbox:IT,ou=qe,ou=engg,ou=deff,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
nss_base_passwd uid=fadboxtIT1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
# nss_base_shadow uid=fadboxtIT1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
# nss_base_group uid=fadboxtIT1,ou=people,dc=xxxxxxxx,dc=yyy,dc=zzz,dc=com
