Problem: FreeBSD 7.x && ssh v2 && nss_ldap

Ulrich Spörlein uspoerlein at gmail.com
Thu Apr 16 15:23:11 UTC 2009


On Wed, 15.04.2009 at 12:14:48 -0700, Benjamin Lee wrote:
> On 04/15/2009 01:33 AM, Konrad Heuer wrote:
> > 
> > I see a problem on two systems running FreeBSD 7.0 or 7.1 which are
> > configured as OpenLDAP clients using the nss_ldap module.
> > 
> > When someone logs on using ssh protocol version 2 the session will not
> > be initialized correctly. The user will only get his primary group
> > affiliation but no affiliation to other groups (memberUid attribute in
> > LDAP group entries).
> > 
> > On 7.1 the ssh login process hangs forever with open ldap queries, on
> > 7.0 the group list is incomplete. On several 6.x systems, all works
> > correctly.
> > I have used the configuration for years now.
> > 
> > There are some workarounds I found:
> > 
> > a) use ssh protocol version 1
> > b) set UseLogin to yes in sshd_config
> > c) avoid ssl encryption in communication to ldap server
> >    (ldap://... uri instead of ldaps://... in ldap.conf)
> > 
> > Does anybody see similar problems? Does anybody have an idea what may
> > couse the problem?
> 
> I recently submitted ports/133501 regarding this issue, but I have not
> yet received a response.
> 
> My workaround was to disable pthread_atfork support, so the problem
> might be related to the change from libkse to libthr in RELENG_7.

I tried your patch to see if it made any change for the nss_ldap UNIX
socket leak, but sadly no change. I never observed the SSH2 problems you
guys mention, but then again I'm usually using key authentication.

I'll run with the patch anyway and see if it makes any change to the
problem where login(1) is only able to authenticate me after 30s of
idling.


Cheers,
Ulrich Spörlein
-- 
None are more hopelessly enslaved than those who falsely believe they are free
-- Johann Wolfgang von Goethe


More information about the freebsd-questions mailing list