Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 20969

Summary: LDAP lookup fails with nss_ldap-122-1.6
Product: [Retired] Red Hat Linux Reporter: Peter Bates <peter.bates>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CANTFIX QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-18 18:01:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bates 2000-11-16 18:22:38 UTC 
I am running Redhat 6.2 on a number of boxes.
They are currently using:

openldap-devel-1.2.9-6
openldap-1.2.9-6
nss_ldap-122-1.6

And /etc/ldap.conf is set to perform LDAP lookups in the clear
from an external host (a Novell Netware 5.x server running an
LDAP interface into Novell's NDS)...

Altered lines in /etc/ldap.conf:

host x.x.x.x
base o=company-name
deref always
ldap_version 3
pam_filter objectclass=alias
pam_login_attribute cn

Contents of /etc/pam.d/ftp (for instance)

#%PAM-1.0
auth       required     /lib/security/pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/pam_shells.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_pwdb.so
#session    sufficient  /lib/security/pam_ldap.so
session    required     /lib/security/pam_pwdb.so

This configuration works fine with nss_ldap-105-1
but stops working with the new errate release of nss_ldap.

PAM is pam-0.72-20

Ldapsearch from openldap works fine, it is the nss_ldap
that fails to work.

Regressing to nss_ldap-105-1 solves the problem without
any other changes to the system.

In both cases tcpdump clearly shows traffic passing from 
the server running nss_ldap to my LDAP server and returning,
but I don't know how to verify if the results are getting 
mangled somewhere along the line...
Comment 1 Nalin Dahyabhai 2000-11-20 21:39:51 UTC 
IIRC OpenLDAP 1.2 does not support LDAP version 3 queries.  Does "getent passwd
username" pull up the correct information?
Comment 2 Peter Bates 2000-11-21 14:40:41 UTC 
The system still does not work with
ldap_version 3
commented out in /etc/ldap.conf, whereas
with this line in, all works fine under nss_ldap-105-1
which I am still using.

I haven't been successful in installing a later revision
(e.g. nss_ldap-113), or building 122 from source.

Can you explain exactly how to use "getent passwd username"?

I have in /etc/nsswitch.conf:

passwd:     ldap files

But the user I am testing has a local account,
but a password retrieved/authenticated via LDAP.

getent passwd anstpbat (for example)

returns my entry from /etc/passwd...

Am I just trying to use some functionality that has
disappeared, or do I need to migrate my users full details
into the Novell system (which after all, isn't a native LDAP system) ?

The system is quite clearly working fine in the older version, however...
Comment 3 Bill Nottingham 2006-10-18 18:01:03 UTC 
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
If this issue is still present in a current Fedora Core release, please
open a new bug with the relevant information.

Closing as CANTFIX.