Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 May 2015 13:06:45 +0200 (CEST)
From:      =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no>
To:        FreeBSD questions <freebsd-questions@freebsd.org>
Subject:   sysutils/screen and net/nss_ldap on stable/10, and LDAP on Novell NetWare 6.5 SP8
Message-ID:  <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no>

next in thread | raw e-mail | index | archive | help
Hi,

I decided to upgrade one of my production systems from stable/8, to 
stable/9, and finally to stable/10. All is well, except 
sysutils/screen.

GNU screen is the only software not capable of using LDAP after the 
upgrade. I didn't recompile the ports while the system ran stable/9, 
only after upgrading to stable/10.

I've traced the problem down to net/nss_ldap and getpwuid(). Luckily, 
this production system isn't in high demand, and only I use GNU screen 
on this system.

The log facility user is filled with:

May 18 10:40:24 <user.info> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap1.fqdn/: Can't contact LDAP server
May 18 10:40:24 <user.info> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap2.fqdn/: Can't contact LDAP server

To save some effort:

/usr/local/etc/ldap.conf is symlinked to openldap/ldap.conf
/usr/local/etc/ldap.secret is symlinked to openldap/ldap.secret
/usr/local/etc/nss_ldap.conf is symlinked to ldap.conf (see above)

/usr/local/etc/openldap/ldap.conf contains roughly:

uri                     ldaps://ldap1.fqdn/ ldaps://ldap2.fqdn/
base                    O=XXX
scope                   sub
tls_cacert              /etc/ssl/certs/somecert.cer
ssl                     on
ldap_version            3
binddn                  CN=[someproxyuser],OU=Proxyusers,O=XXX
bindpw                  [WITHHELD]
rootbinddn              CN=[administrativeAccount],OU=YYY,O=XXX
timeout                 15
network_timeout         15
pam_login_attribute     uid
pam_password            nds
nss_base_passwd         OU=ZZZ,O=XXX
nss_base_shadow         OU=ZZZ,O=XXX
nss_base_groups         OU=Unixgroups,O=XXX

ldap1.fqdn and ldap2.fqdn runs Novell NetWare 6.5 SP8.

GNU screen works flawless with locally defined users. Login, both 
console and SSH, using LDAP defined users and groups works flawlessly, 
and the same goes for long listing of directories (ls -l).

I noticed net/nss-pam-ldapd in the ports collection. Is it worth the 
effort to switch from net/nss_ldap to net/nss-pam-ldapd?

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+
From owner-freebsd-questions@FreeBSD.ORG  Mon May 18 11:30:53 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A3BEE990
 for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 11:30:53 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "ca.infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3112B18CE
 for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 11:30:53 +0000 (UTC)
Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t4IBUiKC021068
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 12:30:46 +0100 (BST)
 (envelope-from matthew@FreeBSD.org)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t4IBUiKC021068
Authentication-Results: smtp.infracaninophile.co.uk/t4IBUiKC021068;
 dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 zero-gravitas.local
Message-ID: <5559CD42.1070708@FreeBSD.org>
Date: Mon, 18 May 2015 12:30:10 +0100
From: Matthew Seaman <matthew@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: sysutils/screen and net/nss_ldap on stable/10, and LDAP on Novell
 NetWare 6.5 SP8
References: <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no>
In-Reply-To: <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0"
X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>;
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 11:30:53 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015/05/18 12:06, Trond Endrest=F8l wrote:
> I noticed net/nss-pam-ldapd in the ports collection. Is it worth the=20
> effort to switch from net/nss_ldap to net/nss-pam-ldapd?

I've tried both nss_ldap and nss-pam-ldapd and I prefer the latter -- it
is build around a pretty nice 'nslcd' caching daemon and seems to run
more smoothly in general than nss_ldap.  Plus only one config file to
hookup both pam and nsswitch to LDAP, and it understands LDAP service
autodiscovery via SRV records.

	Cheers,

	Matthew


--rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJVWc1CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTntAAP/jslPR60bCWHaAkMpsvrU1rZ
vgrSOTe8AavwSnrkuxbEC0rYeowS2rb9xViXAWBqu4wFbfkHhj2dEFodWt41ujTX
JpAFOAgIgOrL3ILn36iE/lW7ioS8+G9Z6EbhsQRygMOs/ijTGtePmCOhLMNpRiTY
h5Jvq8NQFu8nHlAKEoZuNoWW9PnHsplwE6gbCaSvZlit3X1fuAhHbk3EujhB/467
xqFHY3/M5UP28c5ckZoV/YRN4jdYOk7BqU1E2W9THo2iem0dXpeMvbVp6CMjKu8V
u0oEjiHQtzRAtZma3OHNoRfThOywq7dYuH/4O00hcpMFYyC4mU5TR3HZvDmJF9w+
qZlH4jCwPC1aBL7XgSlrb3+rKxvhIiDDg471atPGMVKb/q3udPIJZ8sQz6iLu24Z
h1YDCo3QZIJJBuefPsJfrzIO2rK/FWZwO3iO18R9AAiWb/rrN336RAzy5fkCAymr
N6dCGqhHQvAgsUqTwUMY7Fi4cubmDo4f+ucDD+RCsqHbXaGZDzQxggQzDMEYDs8u
IGui4xKVZPg6pBIZcOnJtEFjBFPrswF6B43LCosWVEvhDYesVzXcGBfu4WdSWorv
kjFBHBXSUGS0E9wlESldHANk6e9v1G8VoY0bpjo1qWALD/T02ET2hyj7UgFK/BCT
KDImplbE5lqU/UN5qIZ/
=CZp8
-----END PGP SIGNATURE-----

--rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1505181238110.12303>