I am running Redhat 6.2 on a number of boxes. They are currently using: openldap-devel-1.2.9-6 openldap-1.2.9-6 nss_ldap-122-1.6 And /etc/ldap.conf is set to perform LDAP lookups in the clear from an external host (a Novell Netware 5.x server running an LDAP interface into Novell's NDS)... Altered lines in /etc/ldap.conf: host x.x.x.x base o=company-name deref always ldap_version 3 pam_filter objectclass=alias pam_login_attribute cn Contents of /etc/pam.d/ftp (for instance) #%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_shells.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_pwdb.so shadow nullok account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_pwdb.so #session sufficient /lib/security/pam_ldap.so session required /lib/security/pam_pwdb.so This configuration works fine with nss_ldap-105-1 but stops working with the new errate release of nss_ldap. PAM is pam-0.72-20 Ldapsearch from openldap works fine, it is the nss_ldap that fails to work. Regressing to nss_ldap-105-1 solves the problem without any other changes to the system. In both cases tcpdump clearly shows traffic passing from the server running nss_ldap to my LDAP server and returning, but I don't know how to verify if the results are getting mangled somewhere along the line...
IIRC OpenLDAP 1.2 does not support LDAP version 3 queries. Does "getent passwd username" pull up the correct information?
The system still does not work with ldap_version 3 commented out in /etc/ldap.conf, whereas with this line in, all works fine under nss_ldap-105-1 which I am still using. I haven't been successful in installing a later revision (e.g. nss_ldap-113), or building 122 from source. Can you explain exactly how to use "getent passwd username"? I have in /etc/nsswitch.conf: passwd: ldap files But the user I am testing has a local account, but a password retrieved/authenticated via LDAP. getent passwd anstpbat (for example) returns my entry from /etc/passwd... Am I just trying to use some functionality that has disappeared, or do I need to migrate my users full details into the Novell system (which after all, isn't a native LDAP system) ? The system is quite clearly working fine in the older version, however...
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. If this issue is still present in a current Fedora Core release, please open a new bug with the relevant information. Closing as CANTFIX.