Re: Problem: FreeBSD 7.x ssh v2 nss_ldap
On Wed, 15.04.2009 at 12:14:48 -0700, Benjamin Lee wrote: On 04/15/2009 01:33 AM, Konrad Heuer wrote: I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? I recently submitted ports/133501 regarding this issue, but I have not yet received a response. My workaround was to disable pthread_atfork support, so the problem might be related to the change from libkse to libthr in RELENG_7. I tried your patch to see if it made any change for the nss_ldap UNIX socket leak, but sadly no change. I never observed the SSH2 problems you guys mention, but then again I'm usually using key authentication. I'll run with the patch anyway and see if it makes any change to the problem where login(1) is only able to authenticate me after 30s of idling. Cheers, Ulrich Spörlein -- None are more hopelessly enslaved than those who falsely believe they are free -- Johann Wolfgang von Goethe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem: FreeBSD 7.x ssh v2 nss_ldap
I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? Best regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, kheu...@gwdg.de ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem: FreeBSD 7.x ssh v2 nss_ldap
On 04/15/2009 01:33 AM, Konrad Heuer wrote: I see a problem on two systems running FreeBSD 7.0 or 7.1 which are configured as OpenLDAP clients using the nss_ldap module. When someone logs on using ssh protocol version 2 the session will not be initialized correctly. The user will only get his primary group affiliation but no affiliation to other groups (memberUid attribute in LDAP group entries). On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 the group list is incomplete. On several 6.x systems, all works correctly. I have used the configuration for years now. There are some workarounds I found: a) use ssh protocol version 1 b) set UseLogin to yes in sshd_config c) avoid ssl encryption in communication to ldap server (ldap://... uri instead of ldaps://... in ldap.conf) Does anybody see similar problems? Does anybody have an idea what may couse the problem? I recently submitted ports/133501 regarding this issue, but I have not yet received a response. My workaround was to disable pthread_atfork support, so the problem might be related to the change from libkse to libthr in RELENG_7. -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
