[Bug 623886] New: no login possible over ldap server
http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c0 Summary: no login possible over ldap server Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: hiller@mpia-hd.mpg.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.6) Gecko/20100626 SUSE/3.6.6-1.2 Firefox/3.6.6 I installed opensuse 11.3 on x86_64. Everything works, except ldap First: On the previous OS versions including opensuse 11.2 everything was working perfectly.Now with 11.3 I cannot login anymore with an ldap user account (local logins are working) These ldap/pam/nscd pakets are installed on my opensuse 11.3 machine: ~> rpm -qa | grep ldap libldap-2_4-2-32bit-2.4.21-9.1.x86_64 nss_ldap-32bit-265-4.2.x86_64 yast2-ldap-2.17.3-12.2.x86_64 nss_ldap-265-4.2.x86_64 libldap-2_4-2-2.4.21-9.1.x86_64 libldapcpp1-0.2.1-3.2.x86_64 openldap2-2.4.21-9.1.x86_64 pam_ldap-185-4.2.x86_64 openldap2-client-2.4.21-9.1.x86_64 pam_ldap-32bit-185-4.2.x86_64 yast2-ldap-client-2.19.2-1.4.noarch openldap2-devel-2.4.21-9.1.x86_64 ~> rpm -qa | grep pam gnome-keyring-pam-2.30.1-2.11.x86_64 pam-modules-32bit-11.2-8.1.x86_64 pam-modules-11.2-8.1.x86_64 pam-32bit-1.1.1.90-1.6.x86_64 pam_apparmor-2.3-57.1.x86_64 pam-config-0.73-2.10.x86_64 pam_apparmor-32bit-2.3-57.1.x86_64 gnome-keyring-pam-32bit-2.30.1-2.11.x86_64 pam-1.1.1.90-1.6.x86_64 pam_ldap-185-4.2.x86_64 pam-devel-1.1.1.90-1.6.x86_64 pam_ldap-32bit-185-4.2.x86_64 yast2-pam-2.19.1-3.2.noarch ~> rpm -qa | grep nscd libnscd-2.0.2-113.1.x86_64 nscd-2.11.2-2.4.x86_64 libnscd-32bit-2.0.2-113.1.x86_64 /etc/openldap/ldap.conf is a softlink to /etc/ldap.conf In /etc/ldap.conf the line tls_cacertdir /etc/ssl/certs is not commented. Since I deleted the comment sign 'getent passwd' shows all the users from the ldap server Now I try to login. Local users defined in /etc/passwd can login. When I try to login as an ldap user I get the following messages in /var/log/messages: nss_ldap: could not search LDAP server - Server is unavailable gkr-pam: error looking up user information for: [here is my user name] User not known to the underlying authentication module I can make two workarounds: Login as an ldap user works when I activate in /etc/ldap.conf the line tls_checkpeer no But then it does not check the tls certificate. This is not an acceptable solution for us. The second workaround is to set in /etc/nscd.conf the line enable-cache passwd no (no matter whether I use nscd or unscd) Also this is not a solution, because the network traffic will rise even on simple commands like 'ls -l' I have found in google that nscd has got a problem in 11.3, but what I found does not fit to my problem. Furthermore I do not know whether the reason for my problem is in ldap or nscd Here is the content of /etc/nscd.conf and /etc/ldap.conf /etc/nscd.conf: logfile /var/log/nscd.log debug-level 4 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 0 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432 /etc/ldap.conf: host [this is our ldap server] base o=xxxxxxxx ldap_version 3 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password crypt ssl start_tls ldap_version 3 pam_filter objectclass=posixAccount nss_base_passwd ou=xxxxx,o=xxxxx nss_base_shadow ou=xxxxx,o=xxxxx nss_base_group ou=xxxxx,o=xxxxx tls_cacertdir /etc/ssl/certs Reproducible: Always Steps to Reproduce: 1.activate nscd and login as an ldap user 2. 3. Actual Results: Login not possible for ldap. Login works only for local users Expected Results: Login fails. In /var/log/messages are the following messages: nss_ldap: could not search LDAP server - Server is unavailable gkr-pam: error looking up user information for: [here is my user name] User not known to the underlying authentication module Workarounds (both not recommendable): 1. Deactivate nscd or activate the line enable-cache passwd no in /etc/nscd.conf 2. activate the line tls_checkpeer no in /etc/ldap.conf -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c1 Ulrich Hiller <hiller@mpia-hd.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hiller@mpia-hd.mpg.de --- Comment #1 from Ulrich Hiller <hiller@mpia-hd.mpg.de> 2010-07-21 14:50:11 UTC --- Here is the additional debug output from the ldap server: ================================================= Jul 21 15:09:57 ldap-server slapd[81273]: slapd starting Jul 21 15:10:08 ldap-server slapd[81273]: conn=1007 fd=21 ACCEPT from IP=nnn.nnn.nnn.nnn:51789 (IP=0.0.0.0:389) Jul 21 15:10:08 ldap-server slapd[81273]: conn=1007 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 21 15:10:08 ldap-server slapd[81273]: conn=1007 op=0 STARTTLS Jul 21 15:10:08 ldap-server slapd[81273]: conn=1007 op=0 RESULT oid= err=0 text= Jul 21 15:10:08 ldap-server slapd[81273]: conn=1007 fd=21 closed (TLS negotiation failure) Jul 21 15:10:08 ldap-server slapd[81273]: conn=1008 fd=21 ACCEPT from IP=nnn.nnn.nnn.nnn:51790 (IP=0.0.0.0:389) Jul 21 15:10:08 ldap-server slapd[81273]: conn=1008 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 21 15:10:08 ldap-server slapd[81273]: conn=1008 op=0 STARTTLS Jul 21 15:10:08 ldap-server slapd[81273]: conn=1008 op=0 RESULT oid= err=0 text= Jul 21 15:10:08 ldap-server slapd[81273]: conn=1008 fd=21 closed (TLS negotiation failure) Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 fd=23 ACCEPT from IP=nnn.nnn.nnn.nnn:51791 (IP=0.0.0.0:389) Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=0 STARTTLS Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=0 RESULT oid= err=0 text= Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 fd=23 TLS established tls_ssf=256 ssf=256 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=1 BIND dn="" method=128 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=1 RESULT tag=97 err=0 text= Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=2 SRCH base="ou=xxxxx,o=xxxxx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=[Benutzername]))" Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=2 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access to "ou=xxxxx,o=xxxxx" "entry" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr entry Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "ou=xxxxx,o=xxxxx", attr "entry" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to all values by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "objectClass" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr objectClass Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "objectClass" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "uid" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr uid Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "uid" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: search access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "entry" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr entry Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "entry" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to all values by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (shadowLastChange) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "shadowLastChange" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr shadowLastChange Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "shadowLastChange" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (uidNumber) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "uidNumber" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr uidNumber Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "uidNumber" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (host) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "host" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr host Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "host" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (shadowMax) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "shadowMax" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr shadowMax Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "shadowMax" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (shadowWarning) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "shadowWarning" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [3] attr shadowWarning Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "shadowWarning" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: * Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [1] mask: read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: read access granted by read(=rscxd) Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=3 BIND dn="uid=[Benutzername],ou=xxxxx,o=xxxxx" method=128 Jul 21 15:10:11 ldap-server slapd[81273]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: result not in cache (userPassword) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: auth access to "uid=[Benutzername],ou=xxxxx,o=xxxxx" "userPassword" requested Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [1] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => dn: [2] ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] matched Jul 21 15:10:11 ldap-server slapd[81273]: => acl_get: [2] attr userPassword Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: access to entry "uid=[Benutzername],ou=xxxxx,o=xxxxx", attr "userPassword" requested Jul 21 15:10:11 ldap-server slapd[81273]: => acl_mask: to value by "", (=0) Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: uid=[Benutzername],ou=xxxxx,o=xxxxx Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: self Jul 21 15:10:11 ldap-server slapd[81273]: <= check a_dn_pat: anonymous Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 21 15:10:11 ldap-server slapd[81273]: <= acl_mask: [3] mask: auth(=xd) Jul 21 15:10:11 ldap-server slapd[81273]: => slap_access_allowed: auth access granted by auth(=xd) Jul 21 15:10:11 ldap-server slapd[81273]: => access_allowed: auth access granted by auth(=xd) Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=3 BIND dn="uid=[Benutzername],ou=xxxxx,o=xxxxx" mech=SIMPLE ssf=0 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=3 RESULT tag=97 err=0 text= Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=4 BIND anonymous mech=implicit ssf=0 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=4 BIND dn="" method=128 Jul 21 15:10:11 ldap-server slapd[81273]: conn=1011 op=4 RESULT tag=97 err=0 text= Jul 21 15:10:14 ldap-server slapd[81273]: conn=1004 op=18 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 21 15:10:14 ldap-server slapd[81273]: conn=1011 op=5 UNBIND Jul 21 15:10:14 ldap-server slapd[81273]: conn=1011 fd=23 closed -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c yang xiaoyu <xyyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |rhafer@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c2 Ulrich Hiller <hiller@mpia.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hiller@mpia.de --- Comment #2 from Ulrich Hiller <hiller@mpia.de> 2010-08-02 09:42:20 UTC --- I now found the reason: unscd. On the netinstall CD which I took is unscd 0.45.5.1 With this version ldap works over tls. After an online update (I do it always after an installation) unscd 0.45.6.1.1 is installed. With this version ldap over tls fails. So, as a workaround you should not update unscd. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c3 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |hiller@mpia-hd.mpg.de --- Comment #3 from Ralf Haferkamp <rhafer@novell.com> 2010-08-20 10:42:47 CEST --- Hm, this might be related to AppArmor. Probably it denies (u)nscd the access to the required CA Certificate. Are you running AppArmor? If yes please check /var/log/audit/audit.log for suspicious messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c4 --- Comment #4 from Ulrich Hiller <hiller@mpia-hd.mpg.de> 2010-08-20 11:07:03 UTC --- yes, this solved it. audit.log gives: ype=APPARMOR_DENIED msg=audit(1281089493.659:12): operation="mkdir" pid=8710 parent=8709 profile="/usr/sbin/nscd" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/run/nscd/" type=APPARMOR_STATUS msg=audit(1282294230.474:57): operation="profile_remove" pid=3852 name=/usr/sbin/nscd namespace=default type=APPARMOR_STATUS msg=audit(1282294312.569:70): operation="profile_load" pid=3962 name=/usr/sbin/nscd I do not know whether this is suspicious. Additionally it gives a lot of type=APPARMOR_DENIED msg=audit(1281101584.211:24): operation="open" pid=2421 parent=2294 profile="/usr/sbin/nscd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.pem" Anyway, I did 'rcapparmor stop'. And then I could login. Since I do not use apparmor at all this would be a solution for me. I never worked with apparmor, so I do not know whether there is a need for further debugging or whether there is only a configuration issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c5 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |rhafer@novell.com InfoProvider|hiller@mpia-hd.mpg.de | AssignedTo|rhafer@novell.com |jeffm@novell.com --- Comment #5 from Ralf Haferkamp <rhafer@novell.com> 2010-08-20 13:50:23 CEST --- (In reply to comment #4)
yes, this solved it. audit.log gives: ype=APPARMOR_DENIED msg=audit(1281089493.659:12): operation="mkdir" pid=8710 parent=8709 profile="/usr/sbin/nscd" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/run/nscd/" This problem should have been fixed with the recent unscd upate (the one that you did not install).
I do not know whether this is suspicious. Additionally it gives a lot of type=APPARMOR_DENIED msg=audit(1281101584.211:24): operation="open" pid=2421 parent=2294 profile="/usr/sbin/nscd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.pem"
It seems /usr/share/ca-certificates is missing in /etc/apparmor.d/abstractions/ssl_certs that should be the root cause of you initial problem. re-assigning to apparmor-profiles maintainer -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c6 Ralf Haferkamp <rhafer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alston@utdallas.edu --- Comment #6 from Ralf Haferkamp <rhafer@novell.com> 2010-08-20 13:51:51 CEST --- *** Bug 624709 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=624709 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c7 --- Comment #7 from David Alston <alston@utdallas.edu> 2010-08-20 19:40:49 UTC --- I had been on Bug 624709 before (the one that was marked as a duplicate of this bug). When I add the following lines to /etc/apparmor.d/abstractions/ssl_certs it seems to work fine.. -snip- /usr/share/ca-certificates/ r, /usr/share/ca-certificates/* r, /usr/share/ca-certificates/mozilla/ r, /usr/share/ca-certificates/mozilla/* r, /etc/openldap r, /etc/openldap/cacerts r, /etc/openldap/cacerts/* r, -snip- NOTE: we're using Verisign certs atm I'm really glad to finally have a work-around for this.. thanks for everyone's help tracking it down :^) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c8 --- Comment #8 from Ulrich Hiller <hiller@mpia-hd.mpg.de> 2010-08-23 07:34:33 UTC --- this seems to be working on my system as well. Thanks a lot My /etc/apparmor.d/abstractions/ssl_certs looks now like this: /etc/ssl/ r, /etc/ssl/certs/ r, /etc/ssl/certs/* r, /etc/share/ca-certificartes/ r, /etc/share/ca-certificartes/* r, /usr/share/ca-certificates/mozilla/ r, /usr/share/ca-certificates/mozilla/* r, /etc/openldap r, /etc/openldap/cacerts r, /etc/openldap/cacerts/* r, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c9 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Status Whiteboard| |fix in | |home:jeff_mahoney:branches: | |openSUSE:11.3:Update:Test/a | |pparmor-profiles --- Comment #9 from Jeff Mahoney <jeffm@novell.com> 2011-01-11 14:34:53 UTC --- Fix committed to my apparmor 11.3 branch. It will be part of the next apparmor-profiles rollup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c10 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #10 from Jeff Mahoney <jeffm@novell.com> 2011-01-17 17:26:52 UTC --- Closing as fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c11 Klaus Slott <k.slott@vink-slott.dk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |k.slott@vink-slott.dk --- Comment #11 from Klaus Slott <k.slott@vink-slott.dk> 2011-05-09 14:45:49 UTC --- Sorry, but I have just been hit by this bug on a 11.4 client. Is this patch still pending, or is a separate bugreport/patch needed for 11.4? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Sorry, but I have just been hit by this bug on a 11.4 client. Is this patch still pending, or is a separate bugreport/patch needed for 11.4? There should be no patch needed for 11.4. The required changes to the apparmor
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c12 --- Comment #12 from Ralf Haferkamp <rhafer@novell.com> 2011-05-10 16:02:36 CEST --- (In reply to comment #11) profile are part of the 11.4 release already. (You can find them in /etc/apparmor.d/abstractions/ldapclient on 11.4). What makes you thing you are hitting this exact problem on 11.4? It'd probably better to file a separate report for your problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c13 --- Comment #13 from Klaus Slott <k.slott@vink-slott.dk> 2011-05-12 12:24:57 UTC --- My fault! I had other issues preventing ldap login from a 11.4 client and just assumed that the correction should go to /etc/apparmor.d/abstractions/ssl_certs as described above. Sorry about the noise. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|fix in |fix in |home:jeff_mahoney:branches: |home:jeff_mahoney:branches: |openSUSE:11.3:Update:Test/a |openSUSE:11.3:Update:Test/a |pparmor-profiles |pparmor-profiles | |maint:running:50809:moderat | |e -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|fix in |fix in |home:jeff_mahoney:branches: |home:jeff_mahoney:branches: |openSUSE:11.3:Update:Test/a |openSUSE:11.3:Update:Test/a |pparmor-profiles |pparmor-profiles |maint:running:50809:moderat | |e | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|fix in |fix in |home:jeff_mahoney:branches: |home:jeff_mahoney:branches: |openSUSE:11.3:Update:Test/a |openSUSE:11.3:Update:Test/a |pparmor-profiles |pparmor-profiles | |maint:running:50809:moderat | |e -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c14 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|fix in |fix in |home:jeff_mahoney:branches: |home:jeff_mahoney:branches: |openSUSE:11.3:Update:Test/a |openSUSE:11.3:Update:Test/a |pparmor-profiles |pparmor-profiles |maint:running:50809:moderat |maint:running:50809:moderat |e |e | |maint:released:sle11-sp2:50 | |817 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> 2013-01-31 20:05:30 UTC --- Update released for: apparmor-profiles Products: SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=623886 https://bugzilla.novell.com/show_bug.cgi?id=623886#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|fix in |fix in |home:jeff_mahoney:branches: |home:jeff_mahoney:branches: |openSUSE:11.3:Update:Test/a |openSUSE:11.3:Update:Test/a |pparmor-profiles |pparmor-profiles |maint:running:50809:moderat |maint:released:sle11-sp2:50 |e |817 |maint:released:sle11-sp2:50 | |817 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=623886 http://bugzilla.novell.com/show_bug.cgi?id=623886#c15 --- Comment #15 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (623886) was mentioned in https://build.opensuse.org/request/show/58682 Factory / apparmor -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com