From owner-freebsd-questions@FreeBSD.ORG Wed Apr 15 19:32:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29485106564A; Wed, 15 Apr 2009 19:32:54 +0000 (UTC) (envelope-from ben@b1c1l1.com) Received: from lancer.b1c1l1.com (lancer.b1c1l1.com [72.13.86.100]) by mx1.freebsd.org (Postfix) with ESMTP id 122838FC0C; Wed, 15 Apr 2009 19:32:54 +0000 (UTC) (envelope-from ben@b1c1l1.com) Received: from supra.b1c1l1.com (c-76-102-159-187.hsd1.ca.comcast.net [76.102.159.187]) by lancer.b1c1l1.com (Postfix) with ESMTPSA id 93BE95C29; Wed, 15 Apr 2009 12:15:01 -0700 (PDT) Message-ID: <49E63228.3090409@b1c1l1.com> Date: Wed, 15 Apr 2009 12:14:48 -0700 From: Benjamin Lee User-Agent: Thunderbird 2.0.0.21 (X11/20090411) MIME-Version: 1.0 To: Konrad Heuer References: <20090415102209.T34961@gwdu60.gwdg.de> In-Reply-To: <20090415102209.T34961@gwdu60.gwdg.de> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4BFC7E43205937AB42E95527" Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Problem: FreeBSD 7.x && ssh v2 && nss_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2009 19:32:54 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4BFC7E43205937AB42E95527 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/15/2009 01:33 AM, Konrad Heuer wrote: >=20 > I see a problem on two systems running FreeBSD 7.0 or 7.1 which are > configured as OpenLDAP clients using the nss_ldap module. >=20 > When someone logs on using ssh protocol version 2 the session will not > be initialized correctly. The user will only get his primary group > affiliation but no affiliation to other groups (memberUid attribute in > LDAP group entries). >=20 > On 7.1 the ssh login process hangs forever with open ldap queries, on > 7.0 the group list is incomplete. On several 6.x systems, all works > correctly. > I have used the configuration for years now. >=20 > There are some workarounds I found: >=20 > a) use ssh protocol version 1 > b) set UseLogin to yes in sshd_config > c) avoid ssl encryption in communication to ldap server > (ldap://... uri instead of ldaps://... in ldap.conf) >=20 > Does anybody see similar problems? Does anybody have an idea what may > couse the problem? I recently submitted ports/133501 regarding this issue, but I have not yet received a response. My workaround was to disable pthread_atfork support, so the problem might be related to the change from libkse to libthr in RELENG_7. --=20 Benjamin Lee http://www.b1c1l1.com/ --------------enig4BFC7E43205937AB42E95527 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJJ5jIxAAoJEN/n9makEYThWVwQAL1c4HA6wt91YSTImvGPj96M a9RJkJcGVE3GeOPBAhAjOsQzoaXlKkgvSwBSIue77x2SavApvjIQ5eS/+p3zw2RP badwqQSDJ63myopJfmOL/ijgeCaNkbOXcQZ1L8in+ywAznXPwyUKBN8Pv7vjfjDU N5GjGKuXGoh+hHWITPxPH1OUP3T6cPGH9TJO9JcfOyaJNDj+CsaZeTAAxBovvB+Q f1I9v2yBODwNP9hkkHQEJGdexnOc1VgfiT+8F6Fr4JmvQoZHx3yAipzef7yFUWjY l3lrnJPT/pFfsyXcHNQOoJEkJDuF4ce+7AkhzQd2J32VscvoQ+jXy1BVb1MfJYJf 43AtbNkOlUul/7+T6ucM+dDtrA/UiCYdO1oTTzIRGC8u0DxycWIYkASYx2rfBVkb aVaAYFwLyFMVfpFhc7ZGanj4DpIdt8O0443sHDw6YVQ7Gy7SVRPCG55PuY6TognO ssp//UonMwkX9mhBKAKMmpn/+1mG3WeVen8IIVTTRAQyCQ7yhP6z1OXfbqymy+QR yPNTemo8szxcyBYIlghl+w/CXh4CbdQTo2tTzq1bA5hUEbJlYqajuN9/GPtEC3a5 0CwfkeaveKiPrdUrRg+9s1OridGB7y5e4YRo9MPpKjssTyDYSG0b0ZsMP6cl3mac Cvd3tlZKndtyMrjHfFLk =f+dM -----END PGP SIGNATURE----- --------------enig4BFC7E43205937AB42E95527--