RSS feed

Re: group query regression?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: group query regression?

Hello Arthur
Yes, I need the member attribute from our LDAP of course, so disabling it was not our solution. But disabling referrals like your next suggestion
made it work!!!
I guess you're also right about a bug in the samba4 LDAP, it's probably fixed in a newer version, I will check again if I get it upgraded.

Thanks a lot, you hit the nail on its head right away :-)

Met vriendelijke groet/Kind regards
Philippe Serbruyns
IT-manager TELIN

Department for Telecommunications and Information Processing (TELIN)
Ghent University     St-Pietersnieuwstraat 41,  B-9000 Gent, Belgium
Philippe.Serbruyns [at]

On Wed, 27 Jul 2016, Arthur de Jong wrote:

On Thu, 2016-06-09 at 16:39 +0200, Philippe Serbruyns wrote:
I've managed to track down the problem and noticed if I compiled
version 0.9.2 it works again, but starting from 0.9.3 it fails.

Thanks for reporting this and sorry for not replying sooner.

We currently use the 0.9.2 version to be able to login our users, but
it would be better if we can fix the problem in the packages. Right?
Below I included some debug info of version 0.9.2 and 0.9.6.

nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") (uri="ldap://samba4server/";)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): 
nslcd: [8b4567] <group="group1"> DEBUG: 
nslcd: [8b4567] <group="group1"> ldap_result() failed: Can't contact LDAP server
nslcd: [8b4567] <group="group1"> DEBUG: ldap_abandon()
nslcd-orig: ../../../../libraries/liblber/io.c:222: ber_flush2: Assertion `sb 
!= NULL' failed.
Aborted (core dumped)

I would be interested to see if you could provide a gdb backtrace for
this. It could be that there is a bug somewhere in nslcd (or libldap)
when calling ldap_abandon().

In any case the problem is likely that the LDAP server closes the
connection because it sees an unsupported control that is used in some
group queries. This seems to be a bug in the LDAP server because the
control is not marked as critical.

Perhaps your LDAP server logs can shed some light on this.

As a workaround you can disable sending this control by adding the
following in nslcd.conf:

  map group member ""

This will only work though if you do not use the member attribute in
your schema.

Another workaround may be to disable the rebinding with:

  deref never
  referrals no


-- arthur - - --
To unsubscribe send an email to or see