libnss-ldap prevents user authentication when ldap hosts lookup enabled

Bug #424942 reported by Ray Robert on 2009-09-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)

Bug Description

Binary package hint: libnss-ldap

Using a Hardy Openldap server for users, passwords, and hosts. On the server itself everything works fine. All packages current. Anonymous read access is permitted. Not using TLS.

On a Hardy client, user and password authentication works fine. Can search out and read Hosts entries. However, if I turn on DNS authentication by changing the relevant /etc/nsswitch.conf line to

   hosts: files ldap dns

then not only doesn't name resolution work at all, but no new users can login and no existing users can sudo until I restore the line to

   hosts: files dns

User authentication lines are:
   passwd: files ldap
   group: files ldap
   shadow: files ldap
and as I say work fine when LDAP hosts lookup isn't enabled. So there are no issues in the PAM common-* files.

The /etc/ldap.conf file is vanilla:

base dc=myco,dc=com
# "ldap1" is defined in /etc/hosts, although same result when I used IP
uri ldap://
ldap_version 3
pam_password md5
nss_base_passwd ou=People,dc=myco,dc=com
nss_base_shadow ou=People,dc=myco,dc=com
nss_base_group ou=group,dc=myco,dc=com
nss_base_hosts ou=Hosts,dc=myco,dc=com
nss_initgroups_ignoreusers backup,bin,daemon,Debian-exim,dhcp,dovecot,ftp,games,gnats,irc,klog,libuuid,list,logcheck,lp,mail,man,mysql,news,postfix,proftpd,proxy,root,sshd,statd,sync,sys,syslog,uucp

FWIW /etc/resolv.conf points to external (non-Hardy) DNS.

Neither client nor server have nscd, but installing and running it on the client made no difference. Likewise, attempting to bind to the LDAP server as manager made no difference. Am in the process of switching over to libnss-ldapd, although I am concerned about the number of problems reported with it, too.

Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue that you reported is one that should be reproducible with the live environment of the Desktop CD of the development release - Karmic Koala. It would help us greatly if you could test with it so we can work on getting it fixed in the next release of Ubuntu. You can find out more about the development release at Thanks again and we appreciate your help.

Changed in libnss-ldap (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
importance: Medium → Low
Ray Robert (rrobert) wrote :

I have since learned that the problem is an incompatibility with the resolver in the libc6-i386 library. This library is a dependency of MBR which is a dependency of Lilo.

I had believed that the system on which I encountered this was a vanilla distribution but in fact (a) Lilo had been installed for no particular reason; and (b) it is an AMD64 so the compatibility library was required.

Chuck Short (zulcss) wrote :

Thanks closing this then.


Changed in libnss-ldap (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers