568087 – Solaris 10 nss passwd db not working

Bug 568087 - Solaris 10 nss passwd db not working

Summary: Solaris 10 nss passwd db not working

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	1.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-02-24 18:42 UTC by Rob Crittenden
Modified:	2015-01-04 23:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-28 09:34:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Rob Crittenden 2010-02-24 18:42:21 UTC

Description of problem:

Reported by Andy Singleton:

I am installing IPA 1.2.2 client installation on one of our Solaris servers, and I cant seem to get the system to see the IPA users. “getent passwd” only returns local users, and no traffic is leaving the client for the IPA server for ldap.

I have followed the instructions from the documentation, but I definitely get the feeling that something is missing.

All the various configuration files are populated, and the Kerberos portion works correctly because I can obtain a ticket.

So possibly there is a problem with the nss_ldap part, or the ldap.conf itself.

Nalin and Simo diagnosed this to be a VLV problem querying cn=users,cn=accounts. If he switches to use cn=compat then getent passwd works ok.

Version-Release number of selected component (if applicable):

ipa 1.2.2

Comment 1 Rob Crittenden 2010-03-03 22:26:28 UTC

I duplicated this with the latest Solaris 10 x86 bits (U8).

As I thought, this *is* a VLV problem.

Oddly enough something seems to have changed. My LDAP server had a VLV aci but it was set up for authenticated users only:

aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read
 , search, compare, proxy ) userdn = "ldap:///all";)

I'm not entirely sure where this came from. We are supposed to create an ACI that reads:

aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone"; )

A handy command to better see the problem is ldaplist. You'll actually get:

ldaplist: LDAP error (LDAP ERROR (50): Insufficient access.)

Once I replaced the ACI then getent passwd worked and all the ldaplist commands I tried worked as well (or at least as well as the data backing them in LDAP allowed).

I investigated this from an IPA v2 installation but the underlying problem seems to be the same.

The reason it works in compat is that the VLV control is ignored there (for good or bad).

So now I need to figure out where that VLV aci is coming from and why ours isn't getting installed.

Comment 2 Rob Crittenden 2010-04-01 15:36:58 UTC

Looks like the initial attempt at this simply didn't work. The ldap:///all VLV aci gets added automatically by DS and based on the git history has been working this way for ages.

This patch should fix it up in IPA v1.2:

--- a/ipa-server/ipa-install/share/schema_compat.uldif
+++ b/ipa-server/ipa-install/share/schema_compat.uldif
@@ -48,3 +48,7 @@ default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
 default:schema-compat-entry-attribute: memberUid=%{memberUid}
 default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
 default:schema-compat-entry-attribute: memberUid=%referred("cn=users","memberOf","uid")
+
+# Enable anonymous VLV browsing for Solaris
+dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 
+only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (read, search, compare, proxy) userdn = "ldap:///anyone"; )'
--

Comment 3 Rob Crittenden 2010-04-01 17:43:24 UTC

Patch is committed to the master branch and ipa-1-2: 3c11b71aa7169615ecb74ac0b3b513e44662c52a

Note You need to log in before you can comment on or make changes to this bug.