[Bug 424942] [NEW] libnss-ldap prevents user authentication when ldap hosts lookup enabled

Ray Robert rrobert at hostbaby.com
Sat Sep 5 19:27:47 BST 2009 

Public bug reported:

Binary package hint: libnss-ldap

Using a Hardy Openldap server for users, passwords, and hosts.  On the
server itself everything works fine.  All packages current.  Anonymous
read access is permitted.  Not using TLS.

On a Hardy client, user and password authentication works fine.  Can
search out and read Hosts entries.  However, if I turn on DNS
authentication by changing the relevant /etc/nsswitch.conf line to

   hosts:  files ldap dns

then not only doesn't name resolution work at all, but no new users can
login and no existing users can sudo until I restore the line to

   hosts:  files dns

User authentication lines are:
   passwd: files ldap
   group: files ldap
   shadow: files ldap
and as I say work fine when LDAP hosts lookup isn't enabled.  So there are no issues in the PAM common-* files.

The /etc/ldap.conf file is vanilla:

base dc=myco,dc=com
# "ldap1" is defined in /etc/hosts, although same result when I used IP
uri ldap://ldap1.myco.com/
ldap_version 3
pam_password md5
nss_base_passwd ou=People,dc=myco,dc=com
nss_base_shadow ou=People,dc=myco,dc=com
nss_base_group ou=group,dc=myco,dc=com
nss_base_hosts ou=Hosts,dc=myco,dc=com
nss_initgroups_ignoreusers backup,bin,daemon,Debian-exim,dhcp,dovecot,ftp,games,gnats,irc,klog,libuuid,list,logcheck,lp,mail,man,mysql,news,postfix,proftpd,proxy,root,sshd,statd,sync,sys,syslog,uucp

FWIW /etc/resolv.conf points to external (non-Hardy) DNS.

Neither client nor server have nscd, but installing and running it on
the client made no difference.  Likewise, attempting to bind to the LDAP
server as manager made no difference.  Am in the process of switching
over to libnss-ldapd, although I am concerned about the number of
problems reported with it, too.

** Affects: libnss-ldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
libnss-ldap prevents user authentication when ldap hosts lookup enabled 
https://bugs.launchpad.net/bugs/424942
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list