appreciate any help/pointers on resolving this issue. thanks Ramakant
> On 1 April 2011 03:25, Srivatsav M <[email protected]> wrote: > >> Hi, >> >> I was triaging this issue and I ran into another mysterious area, it >> doesn't look like the number (8) of principals/RDN is the problem and infact >> the length/size of the RDN's could be the issue. Please find the >> /etc/ldap.conf files attached renamed according to the AD/openldap server >> being configured. >> >> a. In the ad_ldap_conf_size the number of characters is around 3137 for >> the nss_base_<map>. On line 122, if i just make the 80 as 8 in the end of >> the string, the command "getent passwd" is working and it lists all the >> users registered in the ldap.conf file but otherwise it doesn't show any >> user. >> >> b. In the open_ldap_conf_size_issue the number of characters is around >> 3103 for the nss_base_<map>. In the end of the file if i just comment the >> last two lines, the "getent passwd" is working and it lists all the users >> registered in the ldap.conf file but otherwise it doesn't show any user. >> >> from these findings this looks more like some buffer issue, can you >> please help me with the following. >> 1. Any particular method/file that I should be looking for to check this >> buffer size may be even in the nss_ldap library or so >> 2. If there is a buffer size issue of say around 3137 characters (bytes >> for that), what would be the best value to increase it. >> >> appreciate any help >> >> Thanks >> Ramakanth >> >> On 30 March 2011 01:17, Srivatsav M <[email protected]> wrote: >> >>> Please find below the answers to your questions: >>> >>> 1. > >> We are using OpenLDAP for authenticating users registered in a >>> LDAP >>> >>> > >> server (Open LDAP, Active Directory). >>> >>> Which one? Or both? >>> >>> Our dev environment has openLDAP and AD servers and we have tested this >>> issue against each of them individually and are able to reproduce it >>> against both the types of LDAP servers >>> >>> 2. Users shouldn't be "registered in the /etc/ldap.conf file". >>> >> Can you please help me understand why I shouldn't be using this in the >>> ldap.conf file? >>> >>> 3. Please supply a full copy of your /etc/ldap.conf, or at least a >>> representative one, and provide the example output of 'getent passwd >>> username' and 'groups >>> >>> >> attached along with this mail >>> >>> username' for the user who doesn't authenticate. You may also want to supply >>> the relevant PAM configuration files. >>> >>> $ getent passwd >>> root <xxxxxxxxx> >>> test_user:somepwd:1002:1002:Test User:/home/testuser:/bin/bash >>> test_people1:*:10004:10004:Test People1:/home/test_people1:/bin/bash >>> >>> >> All external users are not able to login after adding the 8th >>> >> principal/RDN >>> >>> /etc/pam.d/common-auth >>> >>> auth required pam_env.so >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_unix2.so >>> >>> /etc/pam.d/common-account >>> >>> account required pam_unix2.so >>> account sufficient pam_localuser.so >>> account required pam_ldap.so use_first_pass >>> >>> /etc/pam.d/common-session >>> >>> >>> session required pam_limits.so >>> session required pam_unix2.so >>> session required pam_mkhomedir.so skel=/etc/skel/ >>> session optional pam_ldap.so >>> session optional pam_umask.so >>> >>> Also, please provide details of your LDAP client (distribution release, >>> what versions of nss_ldap and pam_ldap you are running). >>> >>> >> openldap2-client-2.3.32-0.25 >>> >> nss_ldap-259-4.3 >>> >>> 4. Do we know what the actual problem is? Do we know it would be solved >>> by nss-ldapd? >>> >>> There might be a simple misunderstanding here, or a simple configuration >>> problem, and switching software might not solve that. >>> >>> Additionally, the distribution in question may have a different preferred >>> LDAP client. >>> >>> >> based on the above information, would it be possible for pointing any >>> >> config. issues? , please do let me know if you need any further >>> >> information. >>> >>> thanks >>> >>> Ramakanth >>> >>> >>> On 25 March 2011 20:23, Marco Pizzoli <[email protected]> wrote: >>> >>>> Hi, >>>> I could be corrected if I'm wrong, but this problem is not related to >>>> OpenLDAP. It's a nss_ldap problem. >>>> nss_ldap is a client library that's used by linux vendors to achieves >>>> seamless integration of users against *a* LDAP server. >>>> >>>> I had a similar problem with a complex configuration and bypassed (not >>>> solved) the problem by modifying my client configuration. >>>> >>>> I reduced the number of ldap server configured to be accessed: from 4 to >>>> 3. >>>> I reduced the number of users defined in >>>> *nss_initgroups_ignoreusers*directive: i had about 40 listed in it... >>>> >>>> Etc... >>>> >>>> Make some tries and tell me if you can solve it. >>>> >>>> Marco >>>> >>>> >>>> >>>> On Thu, Mar 24, 2011 at 9:25 PM, Srivatsav M < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> We are using OpenLDAP for authenticating users registered in a LDAP >>>>> server (Open LDAP, Active Directory). After adding 8 principals >>>>> (/etc/ldap.conf), none of the users registered in the /etc/ldap.conf file >>>>> are able to login. >>>>> >>>>> nss_base_passwd >>>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname >>>>> nss_base_shadow >>>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname >>>>> nss_base_group >>>>> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname >>>>> >>>>> >>>>> Can you please share the reason for this 7 limitation in the open ldap >>>>> library. or how I can fix this issue. I am looking i for the header file >>>>> in >>>>> the source files whhich has this constant or limitation defined. >>>>> >>>>> Tried googling, but it appears that no one has encountered this issue. >>>>> Some customers are running into this issue and it has become a severity 1 >>>>> issue to fix. >>>>> >>>>> Thanks >>>>> Ramakanth >>>>> >>>> >>>> >>>> >>>> -- >>>> _________________________________________ >>>> Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. >>>> Jim Morrison >>>> >>> >>> >> >
