So,I have:
Server
solaris 2.8 (netra, gig of ram, no other services) running openldap
2.1.23 with 65k records indexed:
index objectClass eq
index uid eq
index uidNumber eq
index gidNumber eq
Schemas which build default with opendap (ie no Apple schema).
disallow bind_anon
access to attr=userPassword
by self read
by anonymous auth
by * none
#
access to dn="^.*,uid=([^,]+),ou=People,(.*)$"
by dn="uid=$1,ou=People,$2" read
by * none
#
access to *
by self read
by users read
by * none
using simple binds over tls/ssl with saslauthd -a kerberos5 (all this
works well).
So from stock MacOS X 10.3.1 can:
/usr/local/bin/ldapsearch -H "ldaps://loopback.edu/" -x -D
"uid=tester,ou=people,dc=ncsu,dc=edu" -W -b 'dc=ncsu,dc=edu'
'(objectclass=*)'
Provide password and get only that user's data back in <15 sec
something like
/usr/local/bin/ldapsearch -H "ldaps://uni01ds.unity.ncsu.edu/" -x -D
"uid=tester,ou=people,dc=ncsu,dc=edu" -W -b 'dc=ncsu,dc=edu' '(uid)'
returns in < 1 sec.
All works great. No problem.
Now want to use this to login.
Ok use directory setup. Enter everything, use RFC 2703 (UNIX) mappings
search base is dc=ncsu,dc=edu (even tried narrowing Users map to
ou=people,dc=ncsu,dc=edu). Set the login to same user as will login from
console id dn= uid=tester,ou=people,dc=ncsu,dc=edu.
from terminal id tester returns in about 20 seconds with correct info
lookupd -d userWithName tester returns in about 20 seconds as well. All
works.
Now logout, restart, whatever does not make difference.
Try to login as tester and if I get loggin it takes about 4 minutes.
Not good.
My questions:
Is anyone actually using this setup?
What am I doing wrong?
Any help would be appreciated!!!