nss_ldap/pam_ldap: problems binding

martin mccann martin at orbweavers.co.uk
Thu Apr 20 22:14:26 UTC 2006


Hi, 

	I've been trying to get my ldap authentication working, something I have done 
before with little issue, but this time around it is causing real pain. 

	Pretty much the same problems Jan HREHO was having back in Febuary - 
http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112066.html

	I tried the suggested solution to that - moving the slapd startup script 
into /etc/rc.d, but that didn't help, same problem just further up in the 
boot process. 

	Another possibility I came across was putting the line 'bind_policy soft' 
in /etc/ldap.conf (symlinked to /usr/local/etc/ldap.conf 
& /usr/local/etc/nss_ldap.conf). This seemed to do the job, until I then 
tried to ssh onto localhost using an ldap user account. It failed with 

Apr 19 22:48:10 svr1 sshd[660]: nss_ldap: could not search LDAP server - 
Server is unavailable
Apr 19 22:48:10 svr1 sshd[660]: fatal: login_get_lastlog: Cannot find account 
for uid 2000

	Removing the bind_policy from the file then retrying, it worked fine. 

	The second solution I tried was to change the slapd.sh file to just launch 
the deamon i.e. '/usr/local/libexec/slapd'. This seems to work,  but it is 
very unelegent, and it may have knock on effects I am unaware of at this 
time. I'm more interested in getting the process right to set it up at this 
stage, rather than hacking away to get a working system (I'm working on a 
series of documents). 

	I'm doing this on a virgin 6.0 installation, cvsuped with the latest ports, 
fresh install of openldap22, pam_ldap and nss_ldap.  

        So the question is, is this a common problem, if not then what I am 
doing wrong to create it, if so then is there a more elequent solutions than 
hacking away at the startup script? 

	The thread that suggests the bind_policy also mentions 'nss_reconnect_* 
parameters', which certainly sounds like it could be the answer, but I havn't 
been able to google anything about them. 

Cheers, 
Martin 


More information about the freebsd-questions mailing list