[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 8 principal limitation in openldap

appreciate any help/pointers on resolving this issue.


On 1 April 2011 03:25, Srivatsav M <srivatsav.mudumba@gmail.com> wrote:

I was triaging this issue and I ran into another mysterious area, it doesn't look like the number (8) of principals/RDN is the problem and infact the length/size of the RDN's could be the issue. Please find the /etc/ldap.conf files attached renamed according to the AD/openldap server being configured.

a. In the ad_ldap_conf_size the number of characters is around 3137 for the nss_base_<map>. On line 122, if i just make the 80 as 8 in the end of the string, the command "getent passwd" is working and it lists all the users registered in the ldap.conf file but otherwise it doesn't show any user.

b. In the open_ldap_conf_size_issue the number of characters is around 3103 for the nss_base_<map>. In the end of the file if i just comment the last two lines, the "getent passwd" is working and it lists all the users registered in the ldap.conf file but otherwise it doesn't show any user.

from these findings  this looks more like some buffer issue, can you please help me with the following.
1. Any particular method/file that I should be looking for to check this buffer size may be even in the nss_ldap library or so
2. If there is a buffer size issue of say around 3137 characters (bytes for that), what would be the best value to increase it.

appreciate any help


On 30 March 2011 01:17, Srivatsav M <srivatsav.mudumba@gmail.com> wrote:
Please find below the answers to your questions:

1. > >> We are using OpenLDAP for authenticating users registered in a LDAP
> >> server (Open LDAP, Active Directory).

Which one? Or both?
Our dev environment has openLDAP and AD servers and we have tested this issue against each of them individually and are able to reproduce it against both the types of LDAP servers
2. Users shouldn't be "registered in the /etc/ldap.conf file".
>> Can you please help me understand why I shouldn't be using this in the ldap.conf file?

3. Please supply a full copy of your /etc/ldap.conf, or at least a representative one, and provide the example output of 'getent passwd username' and 'groups

>> attached along with this mail
username' for the user who doesn't authenticate. You may also want to supply 
the relevant PAM configuration files.
$ getent passwd
root <xxxxxxxxx>
test_user:somepwd:1002:1002:Test User:/home/testuser:/bin/bash
test_people1:*:10004:10004:Test People1:/home/test_people1:/bin/bash
>> All external users are not able to login after adding the 8th principal/RDN
auth required   pam_env.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix2.so

account required pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass


session required pam_limits.so
session required pam_unix2.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_umask.so

Also, please provide details of your LDAP client (distribution release, what versions of nss_ldap and pam_ldap you are running).
>> openldap2-client-2.3.32-0.25
>> nss_ldap-259-4.3
4. Do we know what the actual problem is? Do we know it would be solved by nss-ldapd?
There might be a simple misunderstanding here, or a simple configuration problem, and switching software might not solve that.

Additionally, the distribution in question may have a different preferred LDAP client.
>> based on the above information, would it be possible for pointing any config. issues? , please do let me know if you need any further information.

On 25 March 2011 20:23, Marco Pizzoli <marco.pizzoli@gmail.com> wrote:
I could be corrected if I'm wrong, but this problem is not related to OpenLDAP. It's a nss_ldap problem.
nss_ldap is a client library that's used by linux vendors to achieves seamless integration of users against *a* LDAP server.

I had a similar problem with a complex configuration and bypassed (not solved) the problem by modifying my client configuration.

I reduced the number of ldap server configured to be accessed: from 4 to 3.
I reduced the number of users defined in nss_initgroups_ignoreusers directive: i had about 40 listed in it...


Make some tries and tell me if you can solve it.


On Thu, Mar 24, 2011 at 9:25 PM, Srivatsav M <srivatsav.mudumba@gmail.com> wrote:

We are using OpenLDAP for authenticating users registered in a LDAP server (Open LDAP, Active Directory). After adding 8 principals (/etc/ldap.conf), none of the users registered in the /etc/ldap.conf file are able to login.

nss_base_passwd OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname
nss_base_shadow OU=engg,DC=mycompany,DC=region,DC=someplace,DC=myarea,DC=compname,DC=parentcompname

Can you please share the reason for this 7 limitation in the open ldap library. or how I can fix this issue. I am looking i for the header file in the source files whhich has this constant or limitation defined.

 Tried googling, but it appears that no one has encountered this issue. Some customers are running into this issue and it has become a severity 1 issue to fix.


Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
                    Jim Morrison