Re: [nssldap] nss_ldap on SLES 10
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_ldap on SLES 10
- From: Ralf Haferkamp <rhafer [at] suse.de>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] nss_ldap on SLES 10
- Date: Wed, 31 Jan 2007 17:50:07 +0100
On Wednesday 31 January 2007 17:23, Ralf Haferkamp wrote:
> On Tuesday 30 January 2007 18:16, Iain Morgan wrote:
> [..]
>
> > > You also might wanna check the LDAP Server logs. Probably you can see
> > > as what user (rootbinddn/binddn/anonymous) nss_ldap is trying to
> > > authenticate against the LDAP server.
> >
> > Yeah, I forgot to include that in my original post. With SLES 10, it is
> > attempting to bind anonymously. The only exception to this is when I run
> > 'getent shadow' as root. In that case it uses rootbinddn.
>
> It seems you hit a bug in nss_ldap. I was able to recreate you problem
> here. Sometimes (especially when used through nscd) it seems that nss_ldap
> is not correctly initialized. Even if rootbinddn is set in the config file.
> The option is not set in nss_ldap's internal data structures.
Sorry I was wrong. This is not a problem in nss_ldap. But neither in nscd.
Do you have by any chance appamore enabled? It seems that the default profile
for nscd has a bug and denies access to the /etc/ldap.secret file. That's the
reason why nss_ldap then tries an anonymous connection.
A possible workaround should be add /etc/ldap.secret to the apparmor profiles
(best place seems to be: /etc/apparmor.d/abstractions/nameservice). Or
disable apparmor completely.
I have reported this bug to our Maintainers.
--
regards,
Ralf Haferkamp
