nlscd help solving ldap_result() failed: Protocol error

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Wiebe Ruiter <wiebesilcre [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Reply-to: Wiebe Docner <wiebe [at] docner.com>
Subject: nlscd help solving ldap_result() failed: Protocol error
Date: Tue, 25 Aug 2020 10:58:56 -0300

Nlscd is configured to get authentication data from an apacheds ldap
server. User login is working, only the group cannot be found.

I created an ldap user named 'cic' that does not exist on the local
machine, in an ldap group 'cic' that does not exist on the local
machine. The 'cic' user has an attribute 'gidNumber' set to 9000. The
'cic' group has an attribute 'gidNumber'=9000 and 'memberUid'=cic .

Nlscd is running in debug, showing me a lot of output and because some
calls work, I assume for now that the connection is OK. Version:
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.9

On the local machine I can log in:
> su - cic
Password:
Last login: Tue Aug 25 10:42:10 -03 2020 on pts/1
id: cannot find name for group ID 9000

A snippet from the debug output seems to indicate that the group can be
found when using the uid of the user and directly querying for memberUid:

nslcd: [138641] <group/member="cic"> DEBUG:
myldap_search(base="ou=Groups,dc=smoke,dc=docner,dc=com",
filter="(&(objectClass=posixGroup)(|(memberUid=cic)(memberUid=uid=cic,ou=People,dc=smoke,dc=docner,dc=com)))")
nslcd: [138641] <group/member="cic"> DEBUG: ldap_result():
cn=cic,ou=Groups,dc=smoke,dc=docner,dc=com
nslcd: [138641] <group/member="cic"> DEBUG: ldap_result(): end of
results (1 total)

However, in a later phase, it fails when querying the group by gidNumber:

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [44a45c] DEBUG: connection from pid=6289 uid=7000 gid=9000
nslcd: [44a45c] <group=9000> DEBUG:
myldap_search(base="ou=Groups,dc=smoke,dc=docner,dc=com",
filter="(&(objectClass=posixGroup)(gidNumber=9000))")
nslcd: [44a45c] <group=9000> ldap_result() failed: Protocol error
nslcd: [44a45c] <group=9000> DEBUG: ldap_abandon()
nslcd: [44a45c] <group=9000> DEBUG: ldap_unbind()

The following ldapsearch returns the group:

> ldapsearch -x -b "ou=Groups,dc=smoke,dc=docner,dc=com" gidNumber=9000
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=smoke,dc=docner,dc=com> with scope subtree
# filter: gidNumber=9000
# requesting: ALL
#

# cic, Groups, smoke.docner.com
dn: cn=cic,ou=Groups,dc=smoke,dc=docner,dc=com
cn: cic
objectClass: top
objectClass: posixGroup
memberUid: cic
gidNumber: 9000

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Probably nslcd is expecting some attribute that I do not have configured
in ldap. But what is it ? And do the ldap_abandon() and ldap_unbind()
after ldap_result failed matter ?

nlscd help solving ldap_result() failed: Protocol error, Wiebe Ruiter

Prev by Date: Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Next by Date: Return value of ldap_result() not compared to LDAP_RES_BIND?
Previous by thread: Re: Update nslcd.conf to avoid unnecessary looks up with local URI ldap://127.0.0.1
Next by thread: Return value of ldap_result() not compared to LDAP_RES_BIND?