Hello Jon, the simplest solution I found to solve the problem was to recompile and install nss_ldap-253 from (PADL) scratch ( configure; make; make install ). With following parameters in ldap.conf it works perfectly: base dc=organisation,dc=com uri ldaps://ldap_server.organisation.com sizelimit 0 tls_cacert /usr/etc/openldap/CA/cacert.pem tls_checkpeer yes bind_policy soft nss_connect_policy oneshot No matter if the server is up and running or it is down - root login is always possible without any wait time / user login depends on local/LDAP account type.
That means - there are no (big) bugs in nss_ldap. Regards, Olf > On Fri, 23 Jan 2009, Olf Epler wrote: > > > Hello Jon, > > > > if I start my ldap server in debug mode I can see > > that it answers on port 389 and also - the other case - > > on port 636. > > There is nothing wrong in the debug output from the server. > > On the other hand I found that a downgrade to nss_ldap-253-5 > > should solve the problem. This is also not true or only a > > part of the game. > > In the case I try to login on console (ldaps configured) > > I get as root: > > pam_unix(login:session): session opened for user root > > ROOT LOGIN ON tty1 > > pam_unix(login:session): session closed for user root > > > > and for other users: > > pam_console(login:session): handler '/sbin/pam_console_apply' > > caught a signal 13 > > > > This is already posted in many sites. > > > > So I believe this is not a configuration problem, this is a > > bug in the nss/pam version that is used in SL-5.2. > > Certainly almost all the problems which were reported look like they were > caused/triggered by the newer nss_ldap update, so you might want to check > the list archives in case any of the earlier messages show up config > changes that might help fix the problem. At least a couple of people > reported configs which (with lapds/starttls) worked for them with the > newer nss_ldap version. > > The other errors sound a _bit_ like the problems with uid/gid lookups for > processes (like udev/hald) which are started before lapd is available (and > needed something adding to an exclusion list). Again there were several > earlier messages mentioning things to check/add. > > > My next step is a full nss/pam downgrade to the SL-5.1 versions. > > > > Regards, Olf > > -- Jon > ---------------------------------------------------------- Olf Epler phone: +49 30 2093-7804 Humboldt University Berlin fax: +49 30 2093-7642 Department of Physics Newtonstr. 15 12489 Berlin email: [email protected] ----------------------------------------------------------
