Date: Thu, 26 Apr 2012 19:30:18 GMT From: Eric Crist <ecrist@claimlynx.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/166987: net/nss_ldap: ports/152982 causes nss_ldap to not function on FreeBSD 9.0 for groups Message-ID: <201204261930.q3QJUIe2032411@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/166987; it has been noted by GNATS. From: Eric Crist <ecrist@claimlynx.com> To: Michael Graziano <mikeg@bsd-box.net> Cc: bug-followup@FreeBSD.org, Thomas Johnson <tom@claimlynx.com> Subject: Re: ports/166987: net/nss_ldap: ports/152982 causes nss_ldap to not function on FreeBSD 9.0 for groups Date: Thu, 26 Apr 2012 13:30:53 -0500 --Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C Content-Type: multipart/mixed; boundary="Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953" --Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 We have a FreeBSD 9.0 box installed with OpenLDAP 2.4.31, = nss_ldap-1.265_7, and pam_ldap-1.8.6_2. Our LDAP server requires SSL, = and configuration is attached (redacted bits). We have 'file ldap' in nsswitch.conf for passwd, group, and sudoers. = I've just built this on a completely clean system and can get the same = behavior. The following commands, for a user that ONLY exists in LDAP show as = follows: user@bad-server:~-> id user uid=3D118(user) gid=3D118(user) groups=3D118(user) user@bad-server:~-> groups user user On a system that has had the patch in the PR removed, shows the = following to the same two commands: user@good-server:~-> id user uid=3D118(user) gid=3D118(user) = groups=3D118(user),0(wheel),800(prod),300(administrators),99(example),68(d= ialer),80(www) user@good-server:~-> groups user user wheel prod administrators example dialer www Local groups work just fine. This problem cropped up originally when = our users stopped being able to connect to our Samba server, which = assigns shares based on group membership. Since none of the groups = could be queried properly, nobody was authenticated successfully. On = this particular server, only a couple admins have shell. Going to the = server and running the commands above proved non-functioning of = nss_ldap. After some investigation, we backed out the mentioned patch, = and group membership worked correctly. =20 ***This was the only change we made.*** Attached are the id.log, with debug enabled in nss_ldap, redacted, as = well as our ldap.conf (nss_ldap.conf is a symlink to this). --Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953 Content-Disposition: attachment; filename=id.log Content-Type: application/octet-stream; name="id.log" Content-Transfer-Encoding: 7bit root@faux-jag:/usr/ports/net/nss_ldap-> id user > ~/log.txt nss_ldap: ==> _nss_ldap_enter nss_ldap: <== _nss_ldap_enter nss_ldap: ==> _nss_ldap_getbyname nss_ldap: ==> _nss_ldap_search_s nss_ldap: ==> do_init nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: ==> do_close_no_unbind nss_ldap: <== do_close_no_unbind (connection was not open) nss_ldap: ==> _nss_ldap_add_uri nss_ldap: <== _nss_ldap_add_uri: added URI ldap://server1.example.org nss_ldap: ==> _nss_ldap_add_uri nss_ldap: <== _nss_ldap_add_uri: added URI ldap://server2.example.org nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixAccount)(uid=user)) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_ssl_options nss_ldap: <== do_ssl_options nss_ldap: ==> do_start_tls nss_ldap: :== do_open (TLS startup succeeded) nss_ldap: ==> do_bind nss_ldap: <== do_bind nss_ldap: ==> do_set_sockopts nss_ldap: <== do_set_sockopts nss_ldap: <== do_open (session connected to DSA) nss_ldap: ==> do_search_s nss_ldap: <== do_search_s nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search_s nss_ldap: ==> do_parse_s nss_ldap: ==> _nss_ldap_assign_userpassword nss_ldap: <== _nss_ldap_assign_userpassword nss_ldap: <== do_parse_s nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: ==> _nss_ldap_leave nss_ldap: <== _nss_ldap_leave nss_ldap: <== _nss_ldap_getbyname nss_ldap: ==> _nss_ldap_initgroups_dyn (user=user) nss_ldap: ==> _nss_ldap_enter nss_ldap: <== _nss_ldap_enter nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> _nss_ldap_search_s nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixAccount)(uid=user)) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_ssl_options nss_ldap: <== do_ssl_options nss_ldap: ==> do_start_tls nss_ldap: :== do_open (TLS startup succeeded) nss_ldap: ==> do_bind nss_ldap: <== do_bind nss_ldap: ==> do_set_sockopts nss_ldap: <== do_set_sockopts nss_ldap: <== do_open (session connected to DSA) nss_ldap: ==> do_search_s nss_ldap: <== do_search_s nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search_s nss_ldap: ==> _nss_ldap_ent_context_init_locked nss_ldap: <== _nss_ldap_ent_context_init_locked nss_ldap: ==> _nss_ldap_getent_ex nss_ldap: ==> _nss_ldap_ent_context_init_locked nss_ldap: <== _nss_ldap_ent_context_init_locked nss_ldap: ==> _nss_ldap_search nss_ldap: ==> do_init nss_ldap: <== do_init (cached session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixGroup)(|(memberUid=user)(uniqueMember=uid=user,ou=staff,ou=people,dc=example,dc=org))) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (cached session) nss_ldap: <== do_open (cached session) nss_ldap: ==> do_search nss_ldap: <== do_search nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search nss_ldap: ==> do_parse nss_ldap: ==> do_result nss_ldap: <== do_result nss_ldap: ==> _nss_ldap_namelist_find nss_ldap: <== _nss_ldap_namelist_find nss_ldap: ==> _nss_ldap_ent_context_init_locked nss_ldap: <== _nss_ldap_ent_context_init_locked nss_ldap: ==> _nss_ldap_getent_ex nss_ldap: ==> _nss_ldap_ent_context_init_locked nss_ldap: <== _nss_ldap_ent_context_init_locked nss_ldap: ==> _nss_ldap_search nss_ldap: ==> do_init nss_ldap: <== do_init (cached session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixGroup)(uniqueMember=cn=user,ou=groups,ou=people,dc=example,dc=org)) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (cached session) nss_ldap: <== do_open (cached session) nss_ldap: ==> do_search nss_ldap: <== do_search nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search nss_ldap: ==> do_parse nss_ldap: ==> do_result nss_ldap: <== do_result nss_ldap: <== do_parse nss_ldap: ==> _nss_ldap_search nss_ldap: ==> do_init nss_ldap: <== do_init (cached session) nss_ldap: <== _nss_ldap_getent_ex nss_ldap: ==> _nss_ldap_ent_context_release nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: <== _nss_ldap_ent_context_release nss_ldap: ==> do_result nss_ldap: <== do_result nss_ldap: <== do_parse nss_ldap: <== _nss_ldap_getent_ex nss_ldap: ==> _nss_ldap_namelist_destroy nss_ldap: <== _nss_ldap_namelist_destroy nss_ldap: ==> _nss_ldap_ent_context_release nss_ldap: ==> do_result nss_ldap: <== do_result nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: <== _nss_ldap_ent_context_release nss_ldap: ==> _nss_ldap_leave nss_ldap: <== _nss_ldap_leave nss_ldap: <== _nss_ldap_initgroups_dyn (not found) nss_ldap: ==> _nss_ldap_enter nss_ldap: <== _nss_ldap_enter nss_ldap: ==> _nss_ldap_getbyname nss_ldap: ==> _nss_ldap_search_s nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixGroup)(gidNumber=118)) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_ssl_options nss_ldap: <== do_ssl_options nss_ldap: ==> do_start_tls nss_ldap: :== do_open (TLS startup succeeded) nss_ldap: ==> do_bind nss_ldap: <== do_bind nss_ldap: ==> do_set_sockopts nss_ldap: <== do_set_sockopts nss_ldap: <== do_open (session connected to DSA) nss_ldap: ==> do_search_s nss_ldap: <== do_search_s nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search_s nss_ldap: ==> do_parse_s nss_ldap: ==> _nss_ldap_assign_userpassword nss_ldap: <== _nss_ldap_assign_userpassword nss_ldap: ==> _nss_ldap_namelist_find nss_ldap: <== _nss_ldap_namelist_find nss_ldap: ==> _nss_ldap_namelist_push (cn=user,ou=groups,ou=people,dc=example,dc=org) nss_ldap: <== _nss_ldap_namelist_push nss_ldap: ==> _nss_ldap_namelist_destroy nss_ldap: <== _nss_ldap_namelist_destroy nss_ldap: <== do_parse_s nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: ==> _nss_ldap_leave nss_ldap: <== _nss_ldap_leave nss_ldap: <== _nss_ldap_getbyname nss_ldap: ==> _nss_ldap_enter nss_ldap: <== _nss_ldap_enter nss_ldap: ==> _nss_ldap_getbyname nss_ldap: ==> _nss_ldap_search_s nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_filter nss_ldap: :== do_filter: (&(objectClass=posixGroup)(gidNumber=118)) nss_ldap: <== do_filter nss_ldap: ==> do_with_reconnect nss_ldap: ==> do_open nss_ldap: ==> do_init nss_ldap: <== do_init (initialized session) nss_ldap: ==> do_ssl_options nss_ldap: <== do_ssl_options nss_ldap: ==> do_start_tls nss_ldap: :== do_open (TLS startup succeeded) nss_ldap: ==> do_bind nss_ldap: <== do_bind nss_ldap: ==> do_set_sockopts nss_ldap: <== do_set_sockopts nss_ldap: <== do_open (session connected to DSA) nss_ldap: ==> do_search_s nss_ldap: <== do_search_s nss_ldap: <== do_with_reconnect nss_ldap: <== _nss_ldap_search_s nss_ldap: ==> do_parse_s nss_ldap: ==> _nss_ldap_assign_userpassword nss_ldap: <== _nss_ldap_assign_userpassword nss_ldap: ==> _nss_ldap_namelist_find nss_ldap: <== _nss_ldap_namelist_find nss_ldap: ==> _nss_ldap_namelist_push (cn=user,ou=groups,ou=people,dc=example,dc=org) nss_ldap: <== _nss_ldap_namelist_push nss_ldap: ==> _nss_ldap_namelist_destroy nss_ldap: <== _nss_ldap_namelist_destroy nss_ldap: <== do_parse_s nss_ldap: ==> do_close nss_ldap: <== do_close nss_ldap: ==> _nss_ldap_leave nss_ldap: <== _nss_ldap_leave nss_ldap: <== _nss_ldap_getbyname --Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953 Content-Disposition: attachment; filename=ldap.rtf Content-Type: text/rtf; name="ldap.rtf" Content-Transfer-Encoding: 7bit {\rtf1\ansi\ansicpg1252\cocoartf1138\cocoasubrtf320 {\fonttbl\f0\fswiss\fcharset0 Helvetica;} {\colortbl;\red255\green255\blue255;} \margl1440\margr1440\vieww10800\viewh8400\viewkind0 \pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural \f0\fs24 \cf0 # LDAP Configuration\ URI ldap://server1.example.org ldap://server2.example.org\ bind_timelimit 1\ bind_policy soft\ base dc=example,dc=org\ ldap_version 3\ scope sub\ ssl start_tls\ tls_checkpeer no\ tls_ciphers TLSv1\ TLS_CACERT /usr/local/etc/ca.crt\ \ pam_filter &(objectclass=posixAccount)(clxEnabled=TRUE)\ pam_check_host_attr yes\ pam_login_attribute uid:caseExactMatch:\ pam_member_attribute memberUid\ pam_password crypt\ pam_max_uid 999\ \ nss_connect_policy oneshot\ nss_base_group ou=groups,ou=people,dc=example,dc=org\ nss_initgroups_ignoreusers root,ldap\ \ sudoers_base ou=SUDOers,dc=example,dc=org} --Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=iso-8859-1 --- Eric F Crist System Administrator ClaimLynx, Inc (952) 593-5969 x2301 On Apr 25, 2012, at 11:32:01, Michael Graziano wrote: > Got my 9.x box up and running - no dice on reproducing the problem though. > Tracing through nss_ldap's debug output doesn't show a problem, and > nss_ldap is correctly instantiating the LDAP primary group and both local > and LDAP member groups for my user. > > Can you tell me a little more about the environment this is happening in? > - Is this a local user (/etc/passwd) or an LDAP user? > - Is the user a member of any local groups? (and do those work?) > - Is the user listed under "nss_initgroups_ignoreusers" in the nss_ldap > config file? > > A copy of your nss_ldap.conf file (with sensitive bits redacted) might be > helpful. Also if you have a box where you can compile with -DDEBUG in > your CFLAGS and test the output from that should show us where things are > going off the rails... > > Thanks! > > -MG > --Apple-Mail=_ABC2007F-7234-44E8-9B5A-4D5AC6D1C953-- --Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPmZReAAoJEHKWQhk5DQ0OMQoIAKn9OF1GMsp+xac2ACNYRujI dLnbvTx2Ij4Ef7S+dQAYbIO3vv/oijiw+2CpNwbKKNanzSIkhoZ5Qvt6LobqgpoS 7RJSaqALuM651bCIttTwN6J5ydStbgvnWVNtnMVOoH+sjA02jiXcacupYe0Z+SXe kLOuxroHEPfhKiPF1XdtuJz92TIiWC6OOQmKfWJXZM/6CQOao4s1MGNx4MGGsE0i ieGirocoyoLM5fMt3g25WU7snGM0Su+4a4l46IsrNBG/Q2i+KNZXKOVt9XCRJnpn VuSFEWTM1Nj09KNTgvpNvERm5zCxvFzFAm6onQyPgEpRqD1gNwgIXw8J88WwFgI= =gAk3 -----END PGP SIGNATURE----- --Apple-Mail=_D20A0897-F999-43C2-8B92-7E83B44D994C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204261930.q3QJUIe2032411>