nslcd: Warning: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_enablelookups (probably older NSS module loaded)

The _nss_ldap_enablelookups undefined symbol is to be expected when using nslcd with the old nss_ldap. nslcd does not do anything useful when using libnss-ldap, only with libnss-ldapd.

For the not working group lookups it would be helpful to have some of the output from getent group, information on how the LDAP database is structured, the nslcd.conf file and perhaps output of nslcd -d while performing a group lookup.

Status changed to 'Confirmed' because the bug affects multiple users.

Sorry for the late.

Yes, it's OK. My mistake...

group issue:
The ldap server is a Fedora Directory Server.

I see only entries like this for ldap groups:
sales:*:10032:

For local groups it works as expected.

groups look like this:

dn: cn=service_hg,ou=InternalGroups,dc=company,dc=local
uniqueMember: uid=build,ou=Technical,dc=company,dc=local
cn: service_hg
description: Mercurial repository access
gidNumber: 10057
ntGroupCreateNewGroup: true
ntGroupDeleteGroup: true
ntUserDomainId: service_hg
objectClass: groupofuniquenames
objectClass: posixgroup
objectClass: cxgroup
objectClass: ntgroup
objectClass: top

users look like this:

dn: uid=build,ou=Technical,dc=company,dc=local
memberOf: cn=fisheye,ou=InternalGroups,dc=company,dc=local
memberOf: cn=jira,ou=InternalGroups,dc=company,dc=local
memberOf: cn=service_archiva,ou=InternalGroups,dc=company,dc=local
memberOf: cn=service_hg,ou=InternalGroups,dc=company,dc=local
loginShell: /bin/bash
uid: build
cn: Build User
sn: User
givenName: Build
mail: <email address hidden>
uidNumber: 10104
gidNumber: 10000
homeDirectory: /home/build
gecos: Build USER
ntUserCreateNewAccount: true
ntUserDeleteAccount: true
ntUserDomainId: build
objectClass: person
objectClass: inetuser
objectClass: ntuser
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

nslcd.conf:

uid nslcd
gid nslcd
uri ldap://10.0.0.111/
base dc=company,dc=local

I attach the nslcd debug output for 'id build'
On the console:

$ id build
uid=10104(build) gid=10000(company) groups=10000(company)

You mean that the group members are missing?

You probably need
  map group member uniqueMember
since in the 0.8 series the default has been changed to use the member attribute instead of the uniqueMember attribute.

Note that nss-pam-ldapd doesn't currently support the memberOf attribute (which seems to be introduced by an overlay sometimes).

Any hope about this?

I think this is a bug issue..

If you mean whether the memberOf attribute will be supported in nss-pam-ldapd the answer is when someone provides a patch ;) Adding support is a bit tricky, especially for reverse lookups and doesn't add much if you're already using the uniqueMember attribute (which you appear to do).

There is no problem on Precise with nscd+libpam-ldap or on Lucid with nslcd+libpam-ldapd.

On Precise Pangolin with libpam-ldapd i get the warning

nslcd: Warning: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_enablelookups (probably older NSS module loaded)

but still i CAN use ldap authentication. Though it is misleading. Really!

You mean you are using libnss-ldap and libpam-ldapd together? It should work fine I guess but isn't a very common configuration (at least to my knowledge).

The warning is just that: a warning. It warns for something that usually doesn't happen. It can be safely ignored if you are knowingly not using nslcd with libnss-ldapd.