ports/166987: net/nss_ldap: ports/152982 causes nss_ldap to not function on FreeBSD 9.0 for groups
Eric Crist
ecrist at claimlynx.com
Thu Apr 26 19:30:18 UTC 2012
The following reply was made to PR ports/166987; it has been noted by GNATS.
From: Eric Crist <ecrist at claimlynx.com>
To: Michael Graziano <mikeg at bsd-box.net>
Cc: bug-followup at FreeBSD.org,
Thomas Johnson <tom at claimlynx.com>
Subject: Re: ports/166987: net/nss_ldap: ports/152982 causes nss_ldap to not function on FreeBSD 9.0 for groups
Date: Thu, 26 Apr 2012 13:30:53 -0500
--Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C
Content-Type: multipart/mixed;
boundary="Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953"
--Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
We have a FreeBSD 9.0 box installed with OpenLDAP 2.4.31, =
nss_ldap-1.265_7, and pam_ldap-1.8.6_2. Our LDAP server requires SSL, =
and configuration is attached (redacted bits).
We have 'file ldap' in nsswitch.conf for passwd, group, and sudoers. =
I've just built this on a completely clean system and can get the same =
behavior.
The following commands, for a user that ONLY exists in LDAP show as =
follows:
user at bad-server:~-> id user
uid=3D118(user) gid=3D118(user) groups=3D118(user)
user at bad-server:~-> groups user
user
On a system that has had the patch in the PR removed, shows the =
following to the same two commands:
user at good-server:~-> id user
uid=3D118(user) gid=3D118(user) =
groups=3D118(user),0(wheel),800(prod),300(administrators),99(example),68(d=
ialer),80(www)
user at good-server:~-> groups user
user wheel prod administrators example dialer www
Local groups work just fine. This problem cropped up originally when =
our users stopped being able to connect to our Samba server, which =
assigns shares based on group membership. Since none of the groups =
could be queried properly, nobody was authenticated successfully. On =
this particular server, only a couple admins have shell. Going to the =
server and running the commands above proved non-functioning of =
nss_ldap. After some investigation, we backed out the mentioned patch, =
and group membership worked correctly. =20
***This was the only change we made.***
Attached are the id.log, with debug enabled in nss_ldap, redacted, as =
well as our ldap.conf (nss_ldap.conf is a symlink to this).
--Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953
Content-Disposition: attachment;
filename=id.log
Content-Type: application/octet-stream;
name="id.log"
Content-Transfer-Encoding: 7bit
root at faux-jag:/usr/ports/net/nss_ldap-> id user > ~/log.txt
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_init
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> _nss_ldap_add_uri
nss_ldap: <== _nss_ldap_add_uri: added URI ldap://server1.example.org
nss_ldap: ==> _nss_ldap_add_uri
nss_ldap: <== _nss_ldap_add_uri: added URI ldap://server2.example.org
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixAccount)(uid=user))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_start_tls
nss_ldap: :== do_open (TLS startup succeeded)
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open (session connected to DSA)
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: <== do_parse_s
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_initgroups_dyn (user=user)
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixAccount)(uid=user))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_start_tls
nss_ldap: :== do_open (TLS startup succeeded)
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open (session connected to DSA)
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_init
nss_ldap: <== do_init (cached session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixGroup)(|(memberUid=user)(uniqueMember=uid=user,ou=staff,ou=people,dc=example,dc=org)))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (cached session)
nss_ldap: <== do_open (cached session)
nss_ldap: ==> do_search
nss_ldap: <== do_search
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search
nss_ldap: ==> do_parse
nss_ldap: ==> do_result
nss_ldap: <== do_result
nss_ldap: ==> _nss_ldap_namelist_find
nss_ldap: <== _nss_ldap_namelist_find
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_ent_context_init_locked
nss_ldap: <== _nss_ldap_ent_context_init_locked
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_init
nss_ldap: <== do_init (cached session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixGroup)(uniqueMember=cn=user,ou=groups,ou=people,dc=example,dc=org))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (cached session)
nss_ldap: <== do_open (cached session)
nss_ldap: ==> do_search
nss_ldap: <== do_search
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search
nss_ldap: ==> do_parse
nss_ldap: ==> do_result
nss_ldap: <== do_result
nss_ldap: <== do_parse
nss_ldap: ==> _nss_ldap_search
nss_ldap: ==> do_init
nss_ldap: <== do_init (cached session)
nss_ldap: <== _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> do_result
nss_ldap: <== do_result
nss_ldap: <== do_parse
nss_ldap: <== _nss_ldap_getent_ex
nss_ldap: ==> _nss_ldap_namelist_destroy
nss_ldap: <== _nss_ldap_namelist_destroy
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: ==> do_result
nss_ldap: <== do_result
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_initgroups_dyn (not found)
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixGroup)(gidNumber=118))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_start_tls
nss_ldap: :== do_open (TLS startup succeeded)
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open (session connected to DSA)
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: ==> _nss_ldap_namelist_find
nss_ldap: <== _nss_ldap_namelist_find
nss_ldap: ==> _nss_ldap_namelist_push (cn=user,ou=groups,ou=people,dc=example,dc=org)
nss_ldap: <== _nss_ldap_namelist_push
nss_ldap: ==> _nss_ldap_namelist_destroy
nss_ldap: <== _nss_ldap_namelist_destroy
nss_ldap: <== do_parse_s
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectClass=posixGroup)(gidNumber=118))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: ==> do_init
nss_ldap: <== do_init (initialized session)
nss_ldap: ==> do_ssl_options
nss_ldap: <== do_ssl_options
nss_ldap: ==> do_start_tls
nss_ldap: :== do_open (TLS startup succeeded)
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open (session connected to DSA)
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: ==> _nss_ldap_namelist_find
nss_ldap: <== _nss_ldap_namelist_find
nss_ldap: ==> _nss_ldap_namelist_push (cn=user,ou=groups,ou=people,dc=example,dc=org)
nss_ldap: <== _nss_ldap_namelist_push
nss_ldap: ==> _nss_ldap_namelist_destroy
nss_ldap: <== _nss_ldap_namelist_destroy
nss_ldap: <== do_parse_s
nss_ldap: ==> do_close
nss_ldap: <== do_close
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname
--Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953
Content-Disposition: attachment;
filename=ldap.rtf
Content-Type: text/rtf;
name="ldap.rtf"
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg1252\cocoartf1138\cocoasubrtf320
{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\f0\fs24 \cf0 # LDAP Configuration\
URI ldap://server1.example.org ldap://server2.example.org\
bind_timelimit 1\
bind_policy soft\
base dc=example,dc=org\
ldap_version 3\
scope sub\
ssl start_tls\
tls_checkpeer no\
tls_ciphers TLSv1\
TLS_CACERT /usr/local/etc/ca.crt\
\
pam_filter &(objectclass=posixAccount)(clxEnabled=TRUE)\
pam_check_host_attr yes\
pam_login_attribute uid:caseExactMatch:\
pam_member_attribute memberUid\
pam_password crypt\
pam_max_uid 999\
\
nss_connect_policy oneshot\
nss_base_group ou=groups,ou=people,dc=example,dc=org\
nss_initgroups_ignoreusers root,ldap\
\
sudoers_base ou=SUDOers,dc=example,dc=org}
--Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=iso-8859-1
---
Eric F Crist
System Administrator
ClaimLynx, Inc
(952) 593-5969 x2301
On Apr 25, 2012, at 11:32:01, Michael Graziano wrote:
> Got my 9.x box up and running - no dice on reproducing the problem though.
> Tracing through nss_ldap's debug output doesn't show a problem, and
> nss_ldap is correctly instantiating the LDAP primary group and both local
> and LDAP member groups for my user.
>
> Can you tell me a little more about the environment this is happening in?
> - Is this a local user (/etc/passwd) or an LDAP user?
> - Is the user a member of any local groups? (and do those work?)
> - Is the user listed under "nss_initgroups_ignoreusers" in the nss_ldap
> config file?
>
> A copy of your nss_ldap.conf file (with sensitive bits redacted) might be
> helpful. Also if you have a box where you can compile with -DDEBUG in
> your CFLAGS and test the output from that should show us where things are
> going off the rails...
>
> Thanks!
>
> -MG
>
--Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953--
--Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJPmZReAAoJEHKWQhk5DQ0OMQoIAKn9OF1GMsp+xac2ACNYRujI
dLnbvTx2Ij4Ef7S+dQAYbIO3vv/oijiw+2CpNwbKKNanzSIkhoZ5Qvt6LobqgpoS
7RJSaqALuM651bCIttTwN6J5ydStbgvnWVNtnMVOoH+sjA02jiXcacupYe0Z+SXe
kLOuxroHEPfhKiPF1XdtuJz92TIiWC6OOQmKfWJXZM/6CQOao4s1MGNx4MGGsE0i
ieGirocoyoLM5fMt3g25WU7snGM0Su+4a4l46IsrNBG/Q2i+KNZXKOVt9XCRJnpn
VuSFEWTM1Nj09KNTgvpNvERm5zCxvFzFAm6onQyPgEpRqD1gNwgIXw8J88WwFgI=
=gAk3
-----END PGP SIGNATURE-----
--Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C--
More information about the freebsd-ports-bugs
mailing list