OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

Ulrich Spoerlein uspoerlein at
Sun Nov 4 13:48:47 PST 2007

Sorry for the late reply ...

On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote:
> All right, here I am. nss_ldap.conf and ldap.conf are located in 
> /usr/local/etc and are identical (link). I copied all tags I use and deleted 
> commented out tags:

Seems ok to me, though I don't claim to be an expert.

> The slapd.conf is this, comments roped:
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> # additional schema
> include         /usr/local/share/examples/samba/LDAP/samba.schema
> pidfile         /var/run/openldap/
> argsfile        /var/run/openldap/slapd.args
> logfile         /var/log/slapd.log
> loglevel        512

loglevel is a bitmask. It you want to have lots of debugging try 255 and
run a tail -f /var/log/debug.log

> sizelimit       unlimited
> allow           bind_v2
> modulepath      /usr/local/libexec/openldap
> moduleload      back_bdb
> everse-lookup  off

typo I guess?

> NSCD is up and running, my nsswitch.conf looks like this:

Please try without nscd first, it's just another possible source of

> group: cache ldap[ unavail=continue notfound=continue ] files
> passwd: cache ldap [ unavail=continue notfound=continue ] files
> #group_compat: nis
> hosts: compat
> networks: files
> #passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
> And I changed some lines in /etc/pam.d/sshd,login,system,other like this 
> *commented out due to system gets stuck forever when enab;ed 
> nss_ldap/pam_ldap):

I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to
avoid this unresponsiveness.

# Bind/connect timelimit
bind_timelimit 3

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
bind_policy soft

Also, make NSS work first, then turn to configuring PAM (at least,
that's what I would do)

> Some errors from console:
> (At boot time)
> Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: 
> could not search LDAP server - Server is unavailable

Expected. slapd want to change its user to ldap:ldap, which it needs to
look up the UID for. Chicken & Egg. That's why I need to use soft
bind+timeout on my (disconnected) laptop here.

> Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: 
> could not search LDAP server - Server is unavailable
> Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could 
> not search LDAP server - Server is unavailable

That seems broken then. Is slapd running? Can you ldapsearch -Lx -h
localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap
users? Does the output of 'getent group' and 'getent passwd' look

> One point: what is about compile time options of OpenLDAP? Does LDAP forces 
> itself using SSL although not configured explicitely in slapd.conf?

No. It is purely optional. You would need certificates before it can
even possibly start working anyways.

> nss_ldap-1.257  <<===
> openldap-client-2.3.38
> openldap-server-2.3.38
> pam_ldap-1.8.2

My other computer is running with nss_ldap-1.257 and showing no problems

Ulrich Spoerlein
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.

More information about the freebsd-questions mailing list