Re: [nssldap] nss_ldap on SLES 10
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_ldap on SLES 10
- From: Iain Morgan <imorgan [at] nas.nasa.gov>
- To: Ralf Haferkamp <rhafer [at] suse.de>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] nss_ldap on SLES 10
- Date: Wed, 31 Jan 2007 16:11:52 -0800 (PST)
Sometime ago, Ralf Haferkamp wrote:
[Charset iso-8859-15 unsupported, filtering to ASCII...]
> On Wednesday 31 January 2007 17:23, Ralf Haferkamp wrote:
> > On Tuesday 30 January 2007 18:16, Iain Morgan wrote:
> > [..]
> >
> > > > You also might wanna check the LDAP Server logs. Probably you can see
> > > > as what user (rootbinddn/binddn/anonymous) nss_ldap is trying to
> > > > authenticate against the LDAP server.
> > >
> > > Yeah, I forgot to include that in my original post. With SLES 10, it is
> > > attempting to bind anonymously. The only exception to this is when I run
> > > 'getent shadow' as root. In that case it uses rootbinddn.
> >
> > It seems you hit a bug in nss_ldap. I was able to recreate you problem
> > here. Sometimes (especially when used through nscd) it seems that nss_ldap
> > is not correctly initialized. Even if rootbinddn is set in the config file.
> > The option is not set in nss_ldap's internal data structures.
> Sorry I was wrong. This is not a problem in nss_ldap. But neither in nscd.
> Do you have by any chance appamore enabled? It seems that the default profile
> for nscd has a bug and denies access to the /etc/ldap.secret file. That's the
> reason why nss_ldap then tries an anonymous connection.
> A possible workaround should be add /etc/ldap.secret to the apparmor profiles
> (best place seems to be: /etc/apparmor.d/abstractions/nameservice). Or
> disable apparmor completely.
>
> I have reported this bug to our Maintainers.
>
> --
> regards,
> Ralf Haferkamp
>
Yes, that seems to do it. I wasn't really aware of apparmor, so I
appreciate the help.
Thanks
--
Iain Morgan
- Re: [nssldap] nss_ldap on SLES 10, (continued)