libnss-ldap prevents user authentication when ldap hosts lookup enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnss-ldap (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: libnss-ldap
Using a Hardy Openldap server for users, passwords, and hosts. On the server itself everything works fine. All packages current. Anonymous read access is permitted. Not using TLS.
On a Hardy client, user and password authentication works fine. Can search out and read Hosts entries. However, if I turn on DNS authentication by changing the relevant /etc/nsswitch.conf line to
hosts: files ldap dns
then not only doesn't name resolution work at all, but no new users can login and no existing users can sudo until I restore the line to
hosts: files dns
User authentication lines are:
passwd: files ldap
group: files ldap
shadow: files ldap
and as I say work fine when LDAP hosts lookup isn't enabled. So there are no issues in the PAM common-* files.
The /etc/ldap.conf file is vanilla:
base dc=myco,dc=com
# "ldap1" is defined in /etc/hosts, although same result when I used IP
uri ldap://
ldap_version 3
pam_password md5
nss_base_passwd ou=People,
nss_base_shadow ou=People,
nss_base_group ou=group,
nss_base_hosts ou=Hosts,
nss_initgroups_
FWIW /etc/resolv.conf points to external (non-Hardy) DNS.
Neither client nor server have nscd, but installing and running it on the client made no difference. Likewise, attempting to bind to the LDAP server as manager made no difference. Am in the process of switching over to libnss-ldapd, although I am concerned about the number of problems reported with it, too.
Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue that you reported is one that should be reproducible with the live environment of the Desktop CD of the development release - Karmic Koala. It would help us greatly if you could test with it so we can work on getting it fixed in the next release of Ubuntu. You can find out more about the development release at http:// www.ubuntu. com/testing/. Thanks again and we appreciate your help.