[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 8 principal limitation in openldap



This thread is a good example of why top-posting sucks ...

On Friday, 25 March 2011 17:27:10 Kevin Josue Zambrano Chavez wrote:
> On Fri, Mar 25, 2011 at 10:23 AM, Marco Pizzoli 
<marco.pizzoli@gmail.com>wrote:
> > Hi,
> > I could be corrected if I'm wrong, but this problem is not related to
> > OpenLDAP. It's a nss_ldap problem.
> > nss_ldap is a client library that's used by linux vendors to achieves
> > seamless integration of users against *a* LDAP server.
> > 
> > I had a similar problem with a complex configuration and bypassed (not
> > solved) the problem by modifying my client configuration.
> > 
> > I reduced the number of ldap server configured to be accessed: from 4 to
> > 3. I reduced the number of users defined in
> > *nss_initgroups_ignoreusers*directive: i had about 40 listed in it...

IMHO, this is the wrong fix anyway, but most likely has nothing to do with the 
OPs problem.

> > 
> > Etc...
> > 
> > Make some tries and tell me if you can solve it.
> > 
> > Marco
> > 
> > On Thu, Mar 24, 2011 at 9:25 PM, Srivatsav M 
<srivatsav.mudumba@gmail.com>wrote:
> >> Hi,
> >> 
> >> We are using OpenLDAP for authenticating users registered in a LDAP
> >> server (Open LDAP, Active Directory).

Which one? Or both?

> >> After adding 8 principals
> >> (/etc/ldap.conf), none of the users registered in the /etc/ldap.conf
> >> file are able to login.

Users shouldn't be "registered in the /etc/ldap.conf file".

> >> 
> >> nss_base_passwd
> >> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=par
> >> entcompname nss_base_shadow
> >> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=par
> >> entcompname nss_base_group
> >> OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=par
> >> entcompname
> >> 

Please supply a full copy of your /etc/ldap.conf, or at least a representative 
one, and provide the example output of 'getent passwd username' and 'groups 
username' for the user who doesn't authenticate. You may also want to supply 
the relevant PAM configuration files.

Also, please provide details of your LDAP client (distribution release, what 
versions of nss_ldap and pam_ldap you are running).

> >> 
> >> Can you please share the reason for this 7 limitation in the open ldap
> >> library. or how I can fix this issue. I am looking i for the header file
> >> in the source files whhich has this constant or limitation defined.
> >> 
> >>  Tried googling, but it appears that no one has encountered this issue.
> >> 
> >> Some customers are running into this issue and it has become a severity
> >> 1 issue to fix.
> >> 

[...]

> Hi all,
> 
> Have you tried with "nss-ldapd" [1] [2], a fork from NSS LDAP Package from
> PADL Software Pty Ltd.?

Do we know what the actual problem is? Do we know it would be solved by nss-
ldapd?

There might be a simple misunderstanding here, or a simple configuration 
problem, and switching software might not solve that.

Additionally, the distribution in question may have a different preferred LDAP 
client.

Regards,
Buchan