From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 15 08:33:27 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DBB44106566C
	for <freebsd-questions@freebsd.org>;
	Wed, 15 Apr 2009 08:33:27 +0000 (UTC) (envelope-from kheuer2@gwdg.de)
Received: from tmailer.gwdg.de (tmailer.gwdg.de [134.76.10.23])
	by mx1.freebsd.org (Postfix) with ESMTP id 9F7F48FC15
	for <freebsd-questions@freebsd.org>;
	Wed, 15 Apr 2009 08:33:27 +0000 (UTC) (envelope-from kheuer2@gwdg.de)
Received: from gwdu60.gwdg.de ([134.76.8.60])
	by mailer.gwdg.de with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69)
	(envelope-from <kheuer2@gwdg.de>)
	id 1Lu0Yg-0003Xq-1x; Wed, 15 Apr 2009 10:33:26 +0200
Date: Wed, 15 Apr 2009 10:33:25 +0200 (CEST)
From: Konrad Heuer <kheuer2@gwdg.de>
To: freebsd-questions@freebsd.org
Message-ID: <20090415102209.T34961@gwdu60.gwdg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Level: -
X-Virus-Scanned: (clean) by exiscan+sophie
Cc: freebsd-hackers@freebsd.org
Subject: Problem: FreeBSD 7.x && ssh v2 && nss_ldap
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 08:33:28 -0000


I see a problem on two systems running FreeBSD 7.0 or 7.1 which are 
configured as OpenLDAP clients using the nss_ldap module.

When someone logs on using ssh protocol version 2 the session will not be 
initialized correctly. The user will only get his primary group 
affiliation but no affiliation to other groups (memberUid attribute in 
LDAP group entries).

On 7.1 the ssh login process hangs forever with open ldap queries, on 7.0 
the group list is incomplete. On several 6.x systems, all works correctly.
I have used the configuration for years now.

There are some workarounds I found:

a) use ssh protocol version 1
b) set UseLogin to yes in sshd_config
c) avoid ssl encryption in communication to ldap server
    (ldap://... uri instead of ldaps://... in ldap.conf)

Does anybody see similar problems? Does anybody have an idea what may 
couse the problem?

Best regards

Konrad Heuer
GWDG, Am Fassberg, 37077 Goettingen, Germany, kheuer2@gwdg.de