I am running OpenLDAP 2.3.39 on a RedHat server. I am encountering a user ssh login failure on an LDAP client if I use the URI based way to specify the LDAP servers in the client's /etc/ldap.conf and /etc/openldap/ldap.conf files. I don't have such a problem if I use the host based way. A snip of the configurations and the ldap.log on the ldapm is the following:

 

/etc/ldap.conf:

 

uri ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com

 

/etc/openldap/ldap.conf:

 

URI ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com

 

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop)

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "uid" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr uid

May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (uid)

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "uid" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop)

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "userPassword" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_get: [1] attr userPassword

May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (userPassword)

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "userPassword" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: anonymous

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] applying auth(=xd) (stop)

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] mask: auth(=xd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access denied by auth(=xd)

May 16 14:16:33 ldapm slapd[27604]: send_search_entry: conn 35 access to attribute userPassword, value #0 not allowed

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "shadowLastChange" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr shadowLastChange

May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (shadowLastChange)

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "shadowLastChange" requested

May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com

May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop)

May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)

May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd)

 

Can anyone please help resolve the above problem? Thanks a lot!

 

Luke