Re: group query regression?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Philippe Serbruyns <Philippe.Serbruyns [at] UGent.be>
To: Arthur de Jong <arthur [at] arthurdejong.org>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: group query regression?
Date: Thu, 28 Jul 2016 10:34:00 +0200 (CEST)

Hello Arthur

Yes, I need the member attribute from our LDAP of course, so disabling itwas not our solution. But disabling referrals like your next suggestion

made it work!!!

I guess you're also right about a bug in the samba4 LDAP, it's probablyfixed in a newer version, I will check again if I get it upgraded.


Thanks a lot, you hit the nail on its head right away :-)

--
Met vriendelijke groet/Kind regards
Philippe Serbruyns
IT-manager TELIN

Department for Telecommunications and Information Processing (TELIN)
Ghent University     St-Pietersnieuwstraat 41,  B-9000 Gent, Belgium
Philippe.Serbruyns [at] UGent.be       https://telin.ugent.be/~ps/
tel:+32-9-264-8909                     https://twitter.com/phiser678

On Wed, 27 Jul 2016, Arthur de Jong wrote:

On Thu, 2016-06-09 at 16:39 +0200, Philippe Serbruyns wrote:

I've managed to track down the problem and noticed if I compiled
version 0.9.2 it works again, but starting from 0.9.3 it fails.


Thanks for reporting this and sorry for not replying sooner.

We currently use the 0.9.2 version to be able to login our users, but
it would be better if we can fix the problem in the packages. Right?
Below I included some debug info of version 0.9.2 and 0.9.6.


[...]

nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") (uri="ldap://samba4server/";)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): 
CN=group1,OU=Groups,DC=thisdomain
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") 
(uri="ldap://samba4server/CN=Configuration,DC=thisdomain";)
nslcd: [8b4567] <group="group1"> ldap_result() failed: Can't contact LDAP server
nslcd: [8b4567] <group="group1"> DEBUG: ldap_abandon()
nslcd-orig: ../../../../libraries/liblber/io.c:222: ber_flush2: Assertion `sb 
!= NULL' failed.
Aborted (core dumped)


I would be interested to see if you could provide a gdb backtrace for
this. It could be that there is a bug somewhere in nslcd (or libldap)
when calling ldap_abandon().

In any case the problem is likely that the LDAP server closes the
connection because it sees an unsupported control that is used in some
group queries. This seems to be a bug in the LDAP server because the
control is not marked as critical.

Perhaps your LDAP server logs can shed some light on this.

As a workaround you can disable sending this control by adding the
following in nslcd.conf:

  map group member ""

This will only work though if you do not use the member attribute in
your schema.

Another workaround may be to disable the rebinding with:

  deref never
  referrals no

Thanks,

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

group query regression?, Philippe Serbruyns
- Re: group query regression?, Arthur de Jong
  - Re: group query regression?, Philippe Serbruyns

Prev by Date: Re: useradd and groupadd taking +10 minutes when -r flag is used
Next by Date: Re: group query regression?
Previous by thread: Re: group query regression?
Next by thread: Re: group query regression?