Description of problem: We are having trouble since we have updated from version 1.1.3 to 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. When we try to make "getent group", we only get one group and its members, but no the rest of the groups (should be more than 1000 groups). In the logs of dirsrv, we get the following error: [03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection from XXXXX to XXXXX [03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES [03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3 [03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=application manager,cn=config" [03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2 filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid uniqueMember gidNumber" [03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer reports incorrect Message Authentication Code. [03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection from XXXXX to XXXXX [03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES [03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3 [03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=application manager,cn=config" [03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 nentries=1 etime=0 The following UIDs search after the group, are the members of the first group returned by the group search. The command "getent passwd" works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 or 1.2.5 (tested in 6 different servers). If we configure the LDAP client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested in 4 different servers), the command "getent group" works fine, and no errors are shown in the log. The client configuration is always the same, just changing the LDAP server. These are the configuration files: /etc/ldap.conf uri ldaps://XXXXXX base dc=XXXXXX,dc=XXXXXX ldap_version 3 binddn cn=Application Manager,cn=config bindpw XXXXXX ssl on sasl_secprops maxssf=0 tls_cacertdir /etc/openldap/cacerts tls_cacert /etc/openldap/cacerts/cert-CA-cacert.pem timelimit 20 bind_timelimit 20 idle_timelimit 3600 nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub nss_base_passwd dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) nss_base_shadow dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data pam_password clear /etc/openldap/ldap.conf URI ldaps://XXXXXX BASE dc=XXXXXX,dc=XXXXXX TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/cert-CA-cacert.pem TLS_REQCERT allow /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus Server: CentOS release 5.4 (Final), Linux XXXXXXXXXXXXXXX 2.6.18-164.15.1.el5.centos.plusPAE #1 SMP Wed Mar 17 20:42:15 EDT 2010 i686 i686 i386 GNU/Linux Client: CentOS release 5.4 (Final), Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux "getent group" should return the local groups (that are show fine) and about 729 LDAP groups. If I do the same search with the command ldapsearch, all groups and their attributes are returned. All 32 bits (client and server), versions: Server: CentOS release 5.4 (Final), Linux XXXXXXXXXXXXXXX 2.6.18-164.15.1.el5.centos.plusPAE #1 SMP Wed Mar 17 20:42:15 EDT 2010 i686 i686 i386 GNU/Linux Client: CentOS release 5.4 (Final), Linux localhost.localdomain 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux When running "getent group", the file /var/log/messages throws theses errors: May 3 12:36:50 localhost getent: nss_ldap: reconnected to LDAP server ldaps://XXXXXXXXX after 1 attempt May 3 12:37:10 localhost getent: nss_ldap: could not get LDAP result - Timed out The "Timed out" message is because LDAP server has dropped the connection when it receives "SSL peer reports incorrect Message Authentication Code", and happens (I think) after reading the entry of the first group, so the rest of the groups are not shown. I run these queries: Total groups: # ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,XXXXXXX=es" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E "^dn:" | wc -l 729 Total members: # ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | wc -l 23348 Total unique members: # ldapsearch -H ldaps://XXXXXXX -x -LLL -b "ou=Groups,o=XXXXXXX,dc=XXXXXXX,dc=XXXXXXX" -D "cn=Application Manager,cn=config" -w XXXXXXX "(&(objectClass=posixGroup))" cn userPassword memberUid uniqueMember gidNumber | grep -E -i "^uniquemember:" | sort | uniq | wc -l 9365
Is it possible to reproduce this problem with ldapsearch, or do you have to use getent groups?
I have the same problem, and I would like to use getent groups.
(In reply to comment #7) > I have the same problem, and I would like to use getent groups. What platform? What version of 389-ds-base? What platform are the clients running on? Can you reproduce the problem from the client using ldapsearch, or is it necessary to use getent?
Centos 5.5, 389-ds-base-1.2.5-1.el5, clients runs Centos 5.4. I can't reproduce the problem from client using ldapsearch and I need to use getent because of this problem when I use "id" on my scripts or "sudo -l". I have about 1100 groups, about 44000 members and 16000 unique members.
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=676384 *** This bug has been marked as a duplicate of bug 676384 ***