sysutils/screen and net/nss_ldap on stable/10, and LDAP on Novell NetWare 6.5 SP8

Trond Endrestøl Trond.Endrestol at
Mon May 18 11:06:52 UTC 2015


I decided to upgrade one of my production systems from stable/8, to 
stable/9, and finally to stable/10. All is well, except 

GNU screen is the only software not capable of using LDAP after the 
upgrade. I didn't recompile the ports while the system ran stable/9, 
only after upgrading to stable/10.

I've traced the problem down to net/nss_ldap and getpwuid(). Luckily, 
this production system isn't in high demand, and only I use GNU screen 
on this system.

The log facility user is filled with:

May 18 10:40:24 <> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap1.fqdn/: Can't contact LDAP server
May 18 10:40:24 <> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap2.fqdn/: Can't contact LDAP server

To save some effort:

/usr/local/etc/ldap.conf is symlinked to openldap/ldap.conf
/usr/local/etc/ldap.secret is symlinked to openldap/ldap.secret
/usr/local/etc/nss_ldap.conf is symlinked to ldap.conf (see above)

/usr/local/etc/openldap/ldap.conf contains roughly:

uri                     ldaps://ldap1.fqdn/ ldaps://ldap2.fqdn/
base                    O=XXX
scope                   sub
tls_cacert              /etc/ssl/certs/somecert.cer
ssl                     on
ldap_version            3
binddn                  CN=[someproxyuser],OU=Proxyusers,O=XXX
bindpw                  [WITHHELD]
rootbinddn              CN=[administrativeAccount],OU=YYY,O=XXX
timeout                 15
network_timeout         15
pam_login_attribute     uid
pam_password            nds
nss_base_passwd         OU=ZZZ,O=XXX
nss_base_shadow         OU=ZZZ,O=XXX
nss_base_groups         OU=Unixgroups,O=XXX

ldap1.fqdn and ldap2.fqdn runs Novell NetWare 6.5 SP8.

GNU screen works flawless with locally defined users. Login, both 
console and SSH, using LDAP defined users and groups works flawlessly, 
and the same goes for long listing of directories (ls -l).

I noticed net/nss-pam-ldapd in the ports collection. Is it worth the 
effort to switch from net/nss_ldap to net/nss-pam-ldapd?

| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |

More information about the freebsd-questions mailing list