Re: 8 principal limitation in openldap

On 30 March 2011 01:17, Srivatsav M <srivatsav.mudumba@gmail.com> wrote:

Please find below the answers to your questions:
1. > >> We are using OpenLDAP for authenticating users registered in a LDAP
> >> server (Open LDAP, Active Directory). Which one? Or both?
Our dev environment has openLDAP and AD servers and we have tested this issue against each of them individually and are able to reproduce it against both the types of LDAP servers
2. Users shouldn't be "registered in the /etc/ldap.conf file".
>> Can you please help me understand why I shouldn't be using this in the ldap.conf file?

3. Please supply a full copy of your /etc/ldap.conf, or at least a representative one, and provide the example output of 'getent passwd username' and 'groups

>> attached along with this mail
username' for the user who doesn't authenticate. You may also want to supply 
the relevant PAM configuration files.
$ getent passwd
root <xxxxxxxxx>
test_user:somepwd:1002:1002:Test User:/home/testuser:/bin/bash
test_people1:*:10004:10004:Test People1:/home/test_people1:/bin/bash
>> All external users are not able to login after adding the 8th principal/RDN
/etc/pam.d/common-auth
auth required   pam_env.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix2.so
/etc/pam.d/common-account
account required pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass
/etc/pam.d/common-session
session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_umask.so

Also, please provide details of your LDAP client (distribution release, what versions of nss_ldap and pam_ldap you are running).
>> openldap2-client-2.3.32-0.25
>> nss_ldap-259-4.3
4. Do we know what the actual problem is? Do we know it would be solved by nss-ldapd?
There might be a simple misunderstanding here, or a simple configuration problem, and switching software might not solve that. Additionally, the distribution in question may have a different preferred LDAP client.
>> based on the above information, would it be possible for pointing any config. issues? , please do let me know if you need any further information.

thanks
Ramakanth

On 25 March 2011 20:23, Marco Pizzoli <marco.pizzoli@gmail.com> wrote:

Hi,
I could be corrected if I'm wrong, but this problem is not related to OpenLDAP. It's a nss_ldap problem.
nss_ldap is a client library that's used by linux vendors to achieves seamless integration of users against *a* LDAP server.

I had a similar problem with a complex configuration and bypassed (not solved) the problem by modifying my client configuration.

I reduced the number of ldap server configured to be accessed: from 4 to 3.
I reduced the number of users defined in nss_initgroups_ignoreusers directive: i had about 40 listed in it...

Etc...

Make some tries and tell me if you can solve it.

Marco

On Thu, Mar 24, 2011 at 9:25 PM, Srivatsav M <srivatsav.mudumba@gmail.com> wrote:

Hi,

We are using OpenLDAP for authenticating users registered in a LDAP server (Open LDAP, Active Directory). After adding 8 principals (/etc/ldap.conf), none of the users registered in the /etc/ldap.conf file are able to login.

nss_base_passwd OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
nss_base_shadow OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
nss_base_group OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname

Can you please share the reason for this 7 limitation in the open ldap library. or how I can fix this issue. I am looking i for the header file in the source files whhich has this constant or limitation defined.

Tried googling, but it appears that no one has encountered this issue. Some customers are running into this issue and it has become a severity 1 issue to fix.

Thanks
Ramakanth

--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison