[nssldap] getent passwd breaks when base is expanded.

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Prentice Bisbal <prentice [at] ias.edu>
To: nssldap [at] padl.com
Subject: [nssldap] getent passwd breaks when base is expanded.
Date: Wed, 16 Dec 2009 18:07:18 -0500

I work in an academic environment where each dept maintains it's own
LDAP server. We are now trying to have members from math
(dc=math,dc=example,dc=com) authenticate on my department's (School of
Natural Sciences, dc=sns,dc=example,dc=com) systems using the login
information from math's server. Kerberos users might think if this as
cross-realm authentication (but with LDAP).

We do have a top-level LDAP server, ldap.example.com, for
dc=example,dc=com that includes referrals for the different schools'
LDAP servers. My school is using OpenLDAP 2.3, whereas math is using
ias.edu Fedora Directory Server (not sure the exact version.

When my search base in /etc/ldap.conf is dc=sns,dc=example,dc=com,
everything works fine: 'getent passwd', logins, etc. When I switch my
base in /etc/ldap.conf to dc=example,dc=com, getent only shows the
entries in /etc/passwd.

Using wireshark to analyze the traffic, I see that 'getent passwd' does
this search:

searchRequest(2) "dc=example,dc=com" wholeSubtree

And the server returns 'results=0'

However, when I do the same search using openldap's ldapsearch command,
like this I get results:

ldapsearch -x -h ldap.example.com-b dc=example,dc=com  wholeSubtree

I get records for the entire institute, as I should. Any explanation or
ideas why 'getent passwd' fails but ldapsearch works?


RELEVANT INFORMATION:
---------------------

Server: OpenLDAP 2.3.43
Client: OpenLDAP clients 2.3.43, nss_ldap-253-22

This are from the RPMs included with PU_IAS Linux 5.4, which is a
rebuild of RHEL 5.4, so all the same RHEL 5.4 bugs should apply.

My /etc/openldap/ldap.conf file:

base dc=example,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://ldap..sns.example.com/
tls_cacertfile /etc/pki/tls/certs/ca-cert.pem
pam_password md5

My /etc/openldap/ldap.conf file:
URI ldap://ldap.sns.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/pki/tls/certs/ca-cert.pem
SIZELIMIT 0

-- 
Prentice

[nssldap] getent passwd breaks when base is expanded., Prentice Bisbal

Prev by Date: RE: [nssldap] More patches to nss_ldap 265
Next by Date: [nssldap] DN as group members, nested groups
Previous by thread: RE: [nssldap] More patches to nss_ldap 265
Next by thread: [nssldap] DN as group members, nested groups