Re: Maybe schema ppolicy problem, old openldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Maybe schema ppolicy problem, old openldap
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Берденников Александр <berdennikov [at] promo.ru>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Maybe schema ppolicy problem, old openldap
- Date: Thu, 24 Mar 2016 13:08:08 +0100 (CET)
On Thu, 24 Mar 2016, Берденников Александр wrote:
nslcd -d on client shows
ldap_sasl_bind("uid=berdennikov,ou=IT,ou=Departments,ou=promo.ru,ou=Domains,ou=Users,dc=promodev,dc=ru","***")
(uri="ldaps://ldap.promodev.ru/")
nslcd: [94b2fb] <authc="berdennikov"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [94b2fb] <authc="berdennikov"> >
uid=berdennikov,ou=IT,ou=Departments,ou=promo.ru,ou=Domains,ou=Users,dc=promodev,dc=ru: No results
returned
The problem is probably that the user cannot search for its own entry in
LDAP. As an extra check nslcd performs a check to see if the search for
its own returns a result. The reason for this is that some LDAP servers
seem to semi-silently fall back to an anonymous BIND if the authenticated
BIND fails.
Some work is ongoing to see if a better solution for this can be found.
The unrecognized control message can be safely ignored and should not be
related to this issue. If you want to be sure of this you will have to
downgrade to a 0.8 version of nslcd which does not request password policy
information on BIND.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
