Re: group query regression?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Philippe Serbruyns <Philippe.Serbruyns [at] UGent.be>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: group query regression?
Date: Wed, 27 Jul 2016 13:00:13 +0200

On Thu, 2016-06-09 at 16:39 +0200, Philippe Serbruyns wrote:
> I've managed to track down the problem and noticed if I compiled
> version 0.9.2 it works again, but starting from 0.9.3 it fails.

Thanks for reporting this and sorry for not replying sooner.

> We currently use the 0.9.2 version to be able to login our users, but
> it would be better if we can fix the problem in the packages. Right?
> Below I included some debug info of version 0.9.2 and 0.9.6.

[...]
> nslcd: [8b4567] <group="group1"> DEBUG: 
> ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") 
> (uri="ldap://samba4server/";)
> nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): 
> CN=group1,OU=Groups,DC=thisdomain
> nslcd: [8b4567] <group="group1"> DEBUG: 
> ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") 
> (uri="ldap://samba4server/CN=Configuration,DC=thisdomain";)
> nslcd: [8b4567] <group="group1"> ldap_result() failed: Can't contact LDAP 
> server
> nslcd: [8b4567] <group="group1"> DEBUG: ldap_abandon()
> nslcd-orig: ../../../../libraries/liblber/io.c:222: ber_flush2: Assertion `sb 
> != NULL' failed.
> Aborted (core dumped)

I would be interested to see if you could provide a gdb backtrace for
this. It could be that there is a bug somewhere in nslcd (or libldap)
when calling ldap_abandon().

In any case the problem is likely that the LDAP server closes the
connection because it sees an unsupported control that is used in some
group queries. This seems to be a bug in the LDAP server because the
control is not marked as critical.

Perhaps your LDAP server logs can shed some light on this.

As a workaround you can disable sending this control by adding the
following in nslcd.conf:

  map group member ""

This will only work though if you do not use the member attribute in
your schema.

Another workaround may be to disable the rebinding with:

  deref never
  referrals no

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

group query regression?, Philippe Serbruyns
- Re: group query regression?, Arthur de Jong

Prev by Date: Re: Go implementation of nslcd
Next by Date: useradd and groupadd taking +10 minutes when -r flag is used
Previous by thread: group query regression?
Next by thread: Re: group query regression?