[Bug 214585] New: startup problem of openldap server with enabled nss
https://bugzilla.novell.com/show_bug.cgi?id=214585 Summary: startup problem of openldap server with enabled nss Product: SUSE Linux 10.1 Version: Final Platform: 64bit OS/Version: SuSE Linux 10.1 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: reitenbach@rapideye.de QAContact: qa@suse.de a system running an openldap server, just installed via Yast, and with enabled ldap lookup to localhost ends up in a dead lock when starting the ldap server as an unprivileged user (the default). starting openldap via rcldap start, slapd is called that way: /usr/lib/openldap/slapd -h ldap:/// -u ldap -g ldap -o slp=on with enabled ldap user authentication, configured via yast, where the ldap server is configured to be the one at localhost, openldap tries to look up the name and group of the ldap user. despite these two are in the /etc/passwd and /etc/groups file. when starting slapd without the -u and -g parameters, then no dead lock occurs. workaround: edit /etc/init.d/ldap and replace the /etc/nsswitch.conf file before and after starting slapd. before starting slapd, the passwd and group entries in there shall look like this: passwd: files group: files and after slapd is started, it should look like this: passwd: files compat group: files compat passwd_compat: ldap group_compat: ldap then it is working as expected. the problem itself seems to be a bit older: http://lists.freebsd.org/pipermail/freebsd-net/2006-February/009724.html but I have the latest updates available installed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |rhafer@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |reitenbach@rapideye.de ------- Comment #1 from rhafer@novell.com 2006-10-24 06:12 MST ------- Please attach your /etc/ldap.conf -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 ------- Comment #2 from reitenbach@rapideye.de 2006-10-24 09:48 MST ------- Hi, I asked how to circumvent the problem in a better way on the nss_ldap mailing list, and got that answer: I think your problem here is that when you are starting LDAP, it's looking to find out if your ldap user is in any other groups. One way to get around this problem is to add the following to your /etc/ldap.conf: nss_initgroups_ignoreusers root,ldap This should prevent the group lookup to your LDAP directory. it seems that yast missed to set this parameter when I configured the system to use localhost as the ldap server. if you still need my ldap.conf file, I can supply it too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rhafer@novell.com |jsuchome@novell.com Status|NEEDINFO |NEW Component|Basesystem |Basesystem Info Provider|reitenbach@rapideye.de | Product|SUSE Linux 10.1 |openSUSE 10.2 Version|Final |Alpha 5 plus ------- Comment #3 from rhafer@novell.com 2006-10-25 01:07 MST ------- I am not sure if nss_initgroups_ignoreusers was already available in the nss_ldap Version on 10.1. Alternatively you could try "bind_policy soft" in ldap.conf that should fix the problem as well. In 10.2 "nss_initgroups_ignoreusers root,ldap" is already part of our default ldap.conf since a few days. Btw, Jiri can you update the YaST Module on 10.2 to check if that parameter is present and add it if not? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |rhafer@novell.com ------- Comment #4 from jsuchome@novell.com 2006-10-25 01:48 MST ------- I'm not sure. I think it should be in the default config file (it isn't on Alpha5plus), but IMHO there should be possibility to manualy remove it. If yast2-ldap-client would silently add it again next time user runs the configuration, it might be not what (s)he expects. Don't you agree? Maybe it doesn't have a sense to remove the value... but in such case it probably woudn't have a reason for existence... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|rhafer@novell.com | ------- Comment #5 from rhafer@novell.com 2006-10-25 02:19 MST ------- (In reply to comment #4)
I'm not sure. I think it should be in the default config file (it isn't on Alpha5plus), I submitted the package last week after Alpha5+ was already out.
but IMHO there should be possibility to manualy remove it. If yast2-ldap-client would silently add it again next time user runs the configuration, it might be not what (s)he expects. Don't you agree? Hm, you are probably correct. We just should make sure that yast2-ldap-client doesn't touch that values at all. But I guess, that's how it behaves currently, doesn't it?
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |rhafer@novell.com ------- Comment #6 from jsuchome@novell.com 2006-10-25 02:32 MST -------
Hm, you are probably correct. We just should make sure that yast2-ldap-client doesn't touch that values at all. But I guess, that's how it behaves currently, doesn't it?
Exactly :-) The only other reliable option I see is adding an option for this to UI. Would it have sense or is it too technical? (Anyway, it wouldn't go to 10.2). Feel free to either close the bug as FIXED (by your change of default config) or create a FATE entry for UI enhancement. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214585 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|rhafer@novell.com | Resolution| |FIXED ------- Comment #7 from rhafer@novell.com 2006-10-25 02:41 MST ------- I'll close it as fixed for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com