Hi all,
We have an OpenLDAP server (RHEL6) running version 2.4.23-15, and we have clients in RHEL5 and RHEL6. With clients in RHEL5 works properly but I found some problems with RHEL6 clients in versions newer than 2.4.19-15.
In the clients, if I try to upgrade to new versions than 2.4.19-15 then the client stops working:
[root@XX ~]# rpm -qa | grep openldap openldap-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64 [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 ...... [root@XX ~]# id esther uid=63004(esther) gid=50041(test) groups=50041(test)
[root@XX ~]# yum upgrade openldap* ..... Updating : openldap-2.4.23-20.el6.x86_64
1/4 warning: /etc/openldap/ldap.conf created as /etc/openldap/ldap.conf.rpmnew Updating : openldap-clients-2.4.23-20.el6.x86_64
2/4 Cleanup : openldap-clients-2.4.19-15.el6.x86_64
3/4 Cleanup : openldap-2.4.19-15.el6.x86_64
4/4
Updated: openldap.x86_64 0:2.4.23-20.el6 openldap-clients.x86_64 0:2.4.23-20.el6
Complete!
[root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@XX ~]# id esther id: esther: No such user [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ ldap_start_tls: Connect error (-11)
I have the same configuration files that used with the older version. I use these configuration files:
*/etc/pam_ldap.conf:* base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm ssl start_tls uri ldap://ldap1-test ldap://ldap2-test tls_cacertdir /etc/openldap/cacerts pam_password md5
*/etc/nslcd.conf* uid nslcd gid ldap uri ldap://ldap1-test ldap://ldap2-test base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX ssl start_tls tls_cacertdir /etc/openldap/cacerts timelimit 120 bind_timelimit 120 idle_timelimit 3600
*/etc/openldap/ldap.conf:* URI ldap://ldap1-test/ ldap://ldap2-test/ BASE dc=test,dc=es TLS_CACERT /etc/openldap/cacerts/catest.crt
*CAcert file:*
[root@XX ~]# ls -l /etc/openldap/cacerts/catest.crt -rw-r--r--. 1 root root 1655 May 23 15:23 /etc/openldap/cacerts/catest.crt
Any idea on what the issue is? Am I missing anything?
Thanks in advance, Esther
On 05/23/2012 10:37 AM, Esther Garcia wrote:
Hi all,
We have an OpenLDAP server (RHEL6) running version 2.4.23-15, and we have clients in RHEL5 and RHEL6. With clients in RHEL5 works properly but I found some problems with RHEL6 clients in versions newer than 2.4.19-15.
In the clients, if I try to upgrade to new versions than 2.4.19-15 then the client stops working:
[root@XX ~]# rpm -qa | grep openldap openldap-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64 [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 ...... [root@XX ~]# id esther uid=63004(esther) gid=50041(test) groups=50041(test) [root@XX ~]# yum upgrade openldap* ..... Updating : openldap-2.4.23-20.el6.x86_64 1/4 warning: /etc/openldap/ldap.conf created as /etc/openldap/ldap.conf.rpmnew Updating : openldap-clients-2.4.23-20.el6.x86_64 2/4 Cleanup : openldap-clients-2.4.19-15.el6.x86_64 3/4 Cleanup : openldap-2.4.19-15.el6.x86_64 4/4 Updated: openldap.x86_64 0:2.4.23-20.el6 openldap-clients.x86_64 0:2.4.23-20.el6 Complete! [root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@XX ~]# id esther id: esther: No such user [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ ldap_start_tls: Connect error (-11)
try adding -d 1 - ldapsearch -d 1 -x ....
I have the same configuration files that used with the older version. I use these configuration files:
*/etc/pam_ldap.conf:* base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm ssl start_tls uri ldap://ldap1-test ldap://ldap2-test tls_cacertdir /etc/openldap/cacerts pam_password md5 */etc/nslcd.conf* uid nslcd gid ldap uri ldap://ldap1-test ldap://ldap2-test base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX ssl start_tls tls_cacertdir /etc/openldap/cacerts timelimit 120 bind_timelimit 120 idle_timelimit 3600 */etc/openldap/ldap.conf:* URI ldap://ldap1-test/ ldap://ldap2-test/ BASE dc=test,dc=es TLS_CACERT /etc/openldap/cacerts/catest.crt *CAcert file:* [root@XX ~]# ls -l /etc/openldap/cacerts/catest.crt -rw-r--r--. 1 root root 1655 May 23 15:23 /etc/openldap/cacerts/catest.crtAny idea on what the issue is? Am I missing anything?
Thanks in advance, Esther
Hi Rich,
Sorry I had a mistake in my ldapsearch. Ldapsearch is working but with it does not found users using "id" command:
[root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@dc103 ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # [root@dc103 ~]# id esther id: esther: No such user
And I have these entries in nsswitch:
[root@XX ~]# grep ldap /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap
Errors in messages log when I try this "id" search:
May 24 10:50:09 XX nslcd[4612]: [8e1f29] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [8e1f29] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [e87ccd] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [e87ccd] no available LDAP server found May 24 10:50:11 XX nslcd[4612]: [1b58ba] ldap_start_tls_s() failed: Connect error (uri="ldap://ldap1-test") May 24 10:50:11 XX nslcd[4612]: [1b58ba] failed to bind to LDAP server ldap://ldap1-test: Connect error May 24 10:50:11 XX nslcd[4612]: [1b58ba] ldap_start_tls_s() failed: Connect error (uri="ldap://ldap2-test") May 24 10:50:11 XX nslcd[4612]: [1b58ba] failed to bind to LDAP server ldap://ldap2-test: Connect error May 24 10:50:11 XX nslcd[4612]: [1b58ba] no available LDAP server found
In version 2.4.19-15 I don't see this issue.
TIA, Esther
2012/5/23 Rich Megginson rich.megginson@gmail.com
On 05/23/2012 10:37 AM, Esther Garcia wrote:
Hi all,
We have an OpenLDAP server (RHEL6) running version 2.4.23-15, and we have clients in RHEL5 and RHEL6. With clients in RHEL5 works properly but I found some problems with RHEL6 clients in versions newer than 2.4.19-15.
In the clients, if I try to upgrade to new versions than 2.4.19-15 then the client stops working:
[root@XX ~]# rpm -qa | grep openldap openldap-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64 [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 ...... [root@XX ~]# id esther uid=63004(esther) gid=50041(test) groups=50041(test)
[root@XX ~]# yum upgrade openldap* ..... Updating : openldap-2.4.23-20.el6.x86_64
1/4warning: /etc/openldap/ldap.conf created as /etc/openldap/ldap.conf.rpmnew Updating : openldap-clients-2.4.23-20.el6.x86_64
2/4Cleanup : openldap-clients-2.4.19-15.el6.x86_64
3/4Cleanup : openldap-2.4.19-15.el6.x86_64
4/4Updated: openldap.x86_64 0:2.4.23-20.el6 openldap-clients.x86_64 0:2.4.23-20.el6
Complete!
[root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@XX ~]# id esther id: esther: No such user [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ ldap_start_tls: Connect error (-11)
try adding -d 1 - ldapsearch -d 1 -x ....
I have the same configuration files that used with the older version. I use these configuration files:
*/etc/pam_ldap.conf:* base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm ssl start_tls uri ldap://ldap1-test ldap://ldap2-test tls_cacertdir /etc/openldap/cacerts pam_password md5
*/etc/nslcd.conf* uid nslcd gid ldap uri ldap://ldap1-test ldap://ldap2-test base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX ssl start_tls tls_cacertdir /etc/openldap/cacerts timelimit 120 bind_timelimit 120 idle_timelimit 3600
*/etc/openldap/ldap.conf:* URI ldap://ldap1-test/ ldap://ldap2-test/ BASE dc=test,dc=es TLS_CACERT /etc/openldap/cacerts/catest.crt
*CAcert file:*
[root@XX ~]# ls -l /etc/openldap/cacerts/catest.crt -rw-r--r--. 1 root root 1655 May 23 15:23 /etc/openldap/cacerts/catest.crt
Any idea on what the issue is? Am I missing anything?
Thanks in advance, Esther
Problem is solved. From the version 2.4.23-15 is mandatory to use option tls_cacertfile in nslcd.conf file, in older versions worked only using tls_cacertdir.
Regards, Esther
2012/5/24 Esther Garcia fulletverde@gmail.com
Hi Rich,
Sorry I had a mistake in my ldapsearch. Ldapsearch is working but with it does not found users using "id" command:
[root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@dc103 ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # [root@dc103 ~]# id esther id: esther: No such user
And I have these entries in nsswitch:
[root@XX ~]# grep ldap /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap
Errors in messages log when I try this "id" search:
May 24 10:50:09 XX nslcd[4612]: [8e1f29] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [8e1f29] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [e87ccd] no available LDAP server found May 24 10:50:09 XX nslcd[4612]: [e87ccd] no available LDAP server found May 24 10:50:11 XX nslcd[4612]: [1b58ba] ldap_start_tls_s() failed: Connect error (uri="ldap://ldap1-test") May 24 10:50:11 XX nslcd[4612]: [1b58ba] failed to bind to LDAP server ldap://ldap1-test: Connect error May 24 10:50:11 XX nslcd[4612]: [1b58ba] ldap_start_tls_s() failed: Connect error (uri="ldap://ldap2-test") May 24 10:50:11 XX nslcd[4612]: [1b58ba] failed to bind to LDAP server ldap://ldap2-test: Connect error May 24 10:50:11 XX nslcd[4612]: [1b58ba] no available LDAP server found
In version 2.4.19-15 I don't see this issue.
TIA, Esther
2012/5/23 Rich Megginson rich.megginson@gmail.com
On 05/23/2012 10:37 AM, Esther Garcia wrote:
Hi all,
We have an OpenLDAP server (RHEL6) running version 2.4.23-15, and we have clients in RHEL5 and RHEL6. With clients in RHEL5 works properly but I found some problems with RHEL6 clients in versions newer than 2.4.19-15.
In the clients, if I try to upgrade to new versions than 2.4.19-15 then the client stops working:
[root@XX ~]# rpm -qa | grep openldap openldap-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64 [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 ...... [root@XX ~]# id esther uid=63004(esther) gid=50041(test) groups=50041(test)
[root@XX ~]# yum upgrade openldap* ..... Updating : openldap-2.4.23-20.el6.x86_64
1/4warning: /etc/openldap/ldap.conf created as /etc/openldap/ldap.conf.rpmnew Updating : openldap-clients-2.4.23-20.el6.x86_64
2/4Cleanup : openldap-clients-2.4.19-15.el6.x86_64
3/4Cleanup : openldap-2.4.19-15.el6.x86_64
4/4Updated: openldap.x86_64 0:2.4.23-20.el6 openldap-clients.x86_64 0:2.4.23-20.el6
Complete!
[root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@XX ~]# id esther id: esther: No such user [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ ldap_start_tls: Connect error (-11)
try adding -d 1 - ldapsearch -d 1 -x ....
I have the same configuration files that used with the older version. I use these configuration files:
*/etc/pam_ldap.conf:* base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm ssl start_tls uri ldap://ldap1-test ldap://ldap2-test tls_cacertdir /etc/openldap/cacerts pam_password md5
*/etc/nslcd.conf* uid nslcd gid ldap uri ldap://ldap1-test ldap://ldap2-test base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX ssl start_tls tls_cacertdir /etc/openldap/cacerts timelimit 120 bind_timelimit 120 idle_timelimit 3600
*/etc/openldap/ldap.conf:* URI ldap://ldap1-test/ ldap://ldap2-test/ BASE dc=test,dc=es TLS_CACERT /etc/openldap/cacerts/catest.crt
*CAcert file:*
[root@XX ~]# ls -l /etc/openldap/cacerts/catest.crt -rw-r--r--. 1 root root 1655 May 23 15:23 /etc/openldap/cacerts/catest.crt
Any idea on what the issue is? Am I missing anything?
Thanks in advance, Esther
openldap-technical@openldap.org
-
Esther Garcia -
Rich Megginson