http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c0 Summary: no login possible over ldap server Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: hiller@mpia-hd.mpg.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6) Gecko/20100626 SUSE/3.6.6-1.2 Firefox/3.6.6 I installed opensuse 11.3 on x86_64. Everything works, except ldap First: On the previous OS versions including opensuse 11.2 everything was working perfectly.Now with 11.3 I cannot login anymore with an ldap user account (local logins are working) These ldap/pam/nscd pakets are installed on my opensuse 11.3 machine: ~> rpm -qa | grep ldap libldap-2_4-2-32bit-2.4.21-9.1.x86_64 nss_ldap-32bit-265-4.2.x86_64 yast2-ldap-2.17.3-12.2.x86_64 nss_ldap-265-4.2.x86_64 libldap-2_4-2-2.4.21-9.1.x86_64 libldapcpp1-0.2.1-3.2.x86_64 openldap2-2.4.21-9.1.x86_64 pam_ldap-185-4.2.x86_64 openldap2-client-2.4.21-9.1.x86_64 pam_ldap-32bit-185-4.2.x86_64 yast2-ldap-client-2.19.2-1.4.noarch openldap2-devel-2.4.21-9.1.x86_64 ~> rpm -qa | grep pam gnome-keyring-pam-2.30.1-2.11.x86_64 pam-modules-32bit-11.2-8.1.x86_64 pam-modules-11.2-8.1.x86_64 pam-32bit-1.1.1.90-1.6.x86_64 pam_apparmor-2.3-57.1.x86_64 pam-config-0.73-2.10.x86_64 pam_apparmor-32bit-2.3-57.1.x86_64 gnome-keyring-pam-32bit-2.30.1-2.11.x86_64 pam-1.1.1.90-1.6.x86_64 pam_ldap-185-4.2.x86_64 pam-devel-1.1.1.90-1.6.x86_64 pam_ldap-32bit-185-4.2.x86_64 yast2-pam-2.19.1-3.2.noarch ~> rpm -qa | grep nscd libnscd-2.0.2-113.1.x86_64 nscd-2.11.2-2.4.x86_64 libnscd-32bit-2.0.2-113.1.x86_64 /etc/openldap/ldap.conf is a softlink to /etc/ldap.conf In /etc/ldap.conf the line tls_cacertdir /etc/ssl/certs is not commented. Since I deleted the comment sign 'getent passwd' shows all the users from the ldap server Now I try to login. Local users defined in /etc/passwd can login. When I try to login as an ldap user I get the following messages in /var/log/messages: nss_ldap: could not search LDAP server - Server is unavailable gkr-pam: error looking up user information for: [here is my user name] User not known to the underlying authentication module I can make two workarounds: Login as an ldap user works when I activate in /etc/ldap.conf the line tls_checkpeer no But then it does not check the tls certificate. This is not an acceptable solution for us. The second workaround is to set in /etc/nscd.conf the line enable-cache passwd no (no matter whether I use nscd or unscd) Also this is not a solution, because the network traffic will rise even on simple commands like 'ls -l' I have found in google that nscd has got a problem in 11.3, but what I found does not fit to my problem. Furthermore I do not know whether the reason for my problem is in ldap or nscd Here is the content of /etc/nscd.conf and /etc/ldap.conf /etc/nscd.conf: logfile /var/log/nscd.log debug-level 4 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 0 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432 /etc/ldap.conf: host [this is our ldap server] base o=xxxxxxxx ldap_version 3 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password crypt ssl start_tls ldap_version 3 pam_filter objectclass=posixAccount nss_base_passwd ou=xxxxx,o=xxxxx nss_base_shadow ou=xxxxx,o=xxxxx nss_base_group ou=xxxxx,o=xxxxx tls_cacertdir /etc/ssl/certs Reproducible: Always Steps to Reproduce: 1.activate nscd and login as an ldap user 2. 3. Actual Results: Login not possible for ldap. Login works only for local users Expected Results: Login fails. In /var/log/messages are the following messages: nss_ldap: could not search LDAP server - Server is unavailable gkr-pam: error looking up user information for: [here is my user name] User not known to the underlying authentication module Workarounds (both not recommendable): 1. Deactivate nscd or activate the line enable-cache passwd no in /etc/nscd.conf 2. activate the line tls_checkpeer no in /etc/ldap.conf -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.