Bug 20969 - LDAP lookup fails with nss_ldap-122-1.6
LDAP lookup fails with nss_ldap-122-1.6
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
Depends On:
  Show dependency treegraph
Reported: 2000-11-16 13:22 EST by Peter Bates
Modified: 2007-04-18 12:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-18 14:01:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Bates 2000-11-16 13:22:38 EST
I am running Redhat 6.2 on a number of boxes.
They are currently using:


And /etc/ldap.conf is set to perform LDAP lookups in the clear
from an external host (a Novell Netware 5.x server running an
LDAP interface into Novell's NDS)...

Altered lines in /etc/ldap.conf:

host x.x.x.x
base o=company-name
deref always
ldap_version 3
pam_filter objectclass=alias
pam_login_attribute cn

Contents of /etc/pam.d/ftp (for instance)

auth       required     /lib/security/pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/pam_shells.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_pwdb.so
#session    sufficient  /lib/security/pam_ldap.so
session    required     /lib/security/pam_pwdb.so

This configuration works fine with nss_ldap-105-1
but stops working with the new errate release of nss_ldap.

PAM is pam-0.72-20

Ldapsearch from openldap works fine, it is the nss_ldap
that fails to work.

Regressing to nss_ldap-105-1 solves the problem without
any other changes to the system.

In both cases tcpdump clearly shows traffic passing from 
the server running nss_ldap to my LDAP server and returning,
but I don't know how to verify if the results are getting 
mangled somewhere along the line...
Comment 1 Nalin Dahyabhai 2000-11-20 16:39:51 EST
IIRC OpenLDAP 1.2 does not support LDAP version 3 queries.  Does "getent passwd
username" pull up the correct information?
Comment 2 Peter Bates 2000-11-21 09:40:41 EST
The system still does not work with
ldap_version 3
commented out in /etc/ldap.conf, whereas
with this line in, all works fine under nss_ldap-105-1
which I am still using.

I haven't been successful in installing a later revision
(e.g. nss_ldap-113), or building 122 from source.

Can you explain exactly how to use "getent passwd username"?

I have in /etc/nsswitch.conf:

passwd:     ldap files

But the user I am testing has a local account,
but a password retrieved/authenticated via LDAP.

getent passwd anstpbat (for example)

returns my entry from /etc/passwd...

Am I just trying to use some functionality that has
disappeared, or do I need to migrate my users full details
into the Novell system (which after all, isn't a native LDAP system) ?

The system is quite clearly working fine in the older version, however...

Comment 3 Bill Nottingham 2006-10-18 14:01:03 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
If this issue is still present in a current Fedora Core release, please
open a new bug with the relevant information.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.