Hi all,
I am using Openldap 2.4.23 (on Ubuntu Hardy 8.04) to test nssov. Everything is working perfectly on the primary server, with user, group and host information being pulled from Openldap via nssov. Testing of authorized service / pam integration via slapd acls is also working correctly.
On another Ubuntu Hardy system I setup back-ldap and nssov, and though it works perfectly (including logins/acls, etc), there appears to be some issue when running:
getent group
I simply get one group returned (there are 4 on the primary server), with the following recorded in the (back-ldap server) logs (debug set to -1):
-- back-ldap log on `getent group` -- root@dev01:/opt/zivios/openldap/etc/openldap# getent group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27:zwebuser audio:x:29: dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: dhcp:x:102: syslog:x:103: klog:x:104: scanner:x:105: nvram:x:106: ssh:x:107: ntp:x:109: ssl-cert:x:110:zwebuser,zopenldap zwebgroup:x:950: zopenldap:x:945: mysql:x:108: daemon: activity on 1 descriptor daemon: activity on: 10r daemon: read active on 10 connection_get(10) connection_get(10): got connid=0 nssov: connection from uid=0 gid=0 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL nssov_group_all() str2filter "(objectClass=posixGroup)" put_filter: "(objectClass=posixGroup)" put_filter: simple put_simple_filter: "objectClass=posixGroup" begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0xb6db8010 ptr=0xb6db8010 end=0xb6db802b len=27 0000: a3 19 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass. 0010: 0a 70 6f 73 69 78 47 72 6f 75 70 .posixGroup end get_filter 0 =>ldap_back_getconn: conn 0x8d3b058 fetched refcnt=1. ldap_search_ext put_filter: "(objectClass=posixGroup)" put_filter: simple put_simple_filter: "objectClass=posixGroup" ldap_build_search_req ATTRS: cn userPassword gidNumber memberUid member ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x8d484a8 ptr=0x8d484a8 end=0x8d4851d len=117 0000: 30 73 02 01 04 63 6e 04 10 64 63 3d 7a 69 76 69 0s...cn..dc=zivi 0010: 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 00 02 os,dc=net....... 0020: 01 00 02 01 00 01 01 00 a3 19 04 0b 6f 62 6a 65 ............obje 0030: 63 74 43 6c 61 73 73 04 0a 70 6f 73 69 78 47 72 ctClass..posixGr 0040: 6f 75 70 30 30 04 02 63 6e 04 0c 75 73 65 72 50 oup00..cn..userP 0050: 61 73 73 77 6f 72 64 04 09 67 69 64 4e 75 6d 62 assword..gidNumb 0060: 65 72 04 09 6d 65 6d 62 65 72 55 69 64 04 06 6d er..memberUid..m 0070: 65 6d 62 65 72 ember ber_scanf fmt ({) ber: ber_dump: buf=0x8d484a8 ptr=0x8d484ad end=0x8d4851d len=112 0000: 63 6e 04 10 64 63 3d 7a 69 76 69 6f 73 2c 64 63 cn..dc=zivios,dc 0010: 3d 6e 65 74 0a 01 02 0a 01 00 02 01 00 02 01 00 =net............ 0020: 01 01 00 a3 19 04 0b 6f 62 6a 65 63 74 43 6c 61 .......objectCla 0030: 73 73 04 0a 70 6f 73 69 78 47 72 6f 75 70 30 30 ss..posixGroup00 0040: 04 02 63 6e 04 0c 75 73 65 72 50 61 73 73 77 6f ..cn..userPasswo 0050: 72 64 04 09 67 69 64 4e 75 6d 62 65 72 04 09 6d rd..gidNumber..m 0060: 65 6d 62 65 72 55 69 64 04 06 6d 65 6d 62 65 72 emberUid..member ber_flush2: 117 bytes to sd 12 0000: 30 73 02 01 04 63 6e 04 10 64 63 3d 7a 69 76 69 0s...cn..dc=zivi 0010: 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 00 02 os,dc=net....... 0020: 01 00 02 01 00 01 01 00 a3 19 04 0b 6f 62 6a 65 ............obje 0030: 63 74 43 6c 61 73 73 04 0a 70 6f 73 69 78 47 72 ctClass..posixGr 0040: 6f 75 70 30 30 04 02 63 6e 04 0c 75 73 65 72 50 oup00..cn..userP 0050: 61 73 73 77 6f 72 64 04 09 67 69 64 4e 75 6d 62 assword..gidNumb 0060: 65 72 04 09 6d 65 6d 62 65 72 55 69 64 04 06 6d er..memberUid..m 0070: 65 6d 62 65 72 ember ldap_write: want=117, written=117 0000: 30 73 02 01 04 63 6e 04 10 64 63 3d 7a 69 76 69 0s...cn..dc=zivi 0010: 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 00 02 os,dc=net....... 0020: 01 00 02 01 00 01 01 00 a3 19 04 0b 6f 62 6a 65 ............obje 0030: 63 74 43 6c 61 73 73 04 0a 70 6f 73 69 78 47 72 ctClass..posixGr 0040: 6f 75 70 30 30 04 02 63 6e 04 0c 75 73 65 72 50 oup00..cn..userP 0050: 61 73 73 77 6f 72 64 04 09 67 69 64 4e 75 6d 62 assword..gidNumb 0060: 65 72 04 09 6d 65 6d 62 65 72 55 69 64 04 06 6d er..memberUid..m 0070: 65 6d 62 65 72 ember ldap_result ld 0x8d48288 msgid 4 wait4msg ld 0x8d48288 msgid 4 (timeout 100000 usec) wait4msg continue ld 0x8d48288 msgid 4 all 0 ** ld 0x8d48288 Connections: * host: dev02.zivios.net port: 389 (default) refcnt: 2 status: Connected last used: Wed Aug 4 17:21:55 2010
** ld 0x8d48288 Outstanding Requests: * msgid 4, origid 4, status InProgress outstanding referrals 0, parent count 0 ld 0x8d48288 request count 1 (abandoned 0) ** ld 0x8d48288 Response Queue: Empty ld 0x8d48288 response count 0 ldap_chkResponseList ld 0x8d48288 msgid 4 all 0 ldap_chkResponseList returns ld 0x8d48288 NULL ldap_int_select read1msg: ld 0x8d48288 msgid 4 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 82 01 26 02 01 04 64 0..&...d ldap_read: want=290, got=290 0000: 82 01 1f 04 26 63 6e 3d 65 63 6c 73 74 61 66 66 ....&cn=eclstaff 0010: 2c 6f 75 3d 67 72 6f 75 70 73 2c 64 63 3d 7a 69 ,ou=groups,dc=zi 0020: 76 69 6f 73 2c 64 63 3d 6e 65 74 30 81 f4 30 13 vios,dc=net0..0. 0030: 04 09 67 69 64 4e 75 6d 62 65 72 31 06 04 04 33 ..gidNumber1...3 0040: 30 30 30 30 10 04 02 63 6e 31 0a 04 08 65 63 6c 0000...cn1...ecl 0050: 73 74 61 66 66 30 81 ca 04 06 6d 65 6d 62 65 72 staff0....member 0060: 31 81 bf 04 25 75 69 64 3d 6d 68 61 73 68 6d 69 1...%uid=mhashmi 0070: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 ,ou=users,dc=ziv 0080: 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 3d ios,dc=net.#uid= 0090: 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c 64 fkhan,ou=users,d 00a0: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 c=zivios,dc=net. 00b0: 25 75 69 64 3d 6a 61 62 62 61 73 69 2c 6f 75 3d %uid=jabbasi,ou= 00c0: 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c users,dc=zivios, 00d0: 64 63 3d 6e 65 74 04 25 75 69 64 3d 7a 73 68 61 dc=net.%uid=zsha 00e0: 69 6b 68 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d ikh,ou=users,dc= 00f0: 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 zivios,dc=net.#u 0100: 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 id=akhan,ou=user 0110: 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e s,dc=zivios,dc=n 0120: 65 74 et ber_get_next: tag 0x30 len 294 contents: ber_dump: buf=0x8d496d0 ptr=0x8d496d0 end=0x8d497f6 len=294 0000: 02 01 04 64 82 01 1f 04 26 63 6e 3d 65 63 6c 73 ...d....&cn=ecls 0010: 74 61 66 66 2c 6f 75 3d 67 72 6f 75 70 73 2c 64 taff,ou=groups,d 0020: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 30 c=zivios,dc=net0 0030: 81 f4 30 13 04 09 67 69 64 4e 75 6d 62 65 72 31 ..0...gidNumber1 0040: 06 04 04 33 30 30 30 30 10 04 02 63 6e 31 0a 04 ...30000...cn1.. 0050: 08 65 63 6c 73 74 61 66 66 30 81 ca 04 06 6d 65 .eclstaff0....me 0060: 6d 62 65 72 31 81 bf 04 25 75 69 64 3d 6d 68 61 mber1...%uid=mha 0070: 73 68 6d 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 shmi,ou=users,dc 0080: 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 =zivios,dc=net.# 0090: 75 69 64 3d 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 uid=fkhan,ou=use 00a0: 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d rs,dc=zivios,dc= 00b0: 6e 65 74 04 25 75 69 64 3d 6a 61 62 62 61 73 69 net.%uid=jabbasi 00c0: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 ,ou=users,dc=ziv 00d0: 69 6f 73 2c 64 63 3d 6e 65 74 04 25 75 69 64 3d ios,dc=net.%uid= 00e0: 7a 73 68 61 69 6b 68 2c 6f 75 3d 75 73 65 72 73 zshaikh,ou=users 00f0: 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 ,dc=zivios,dc=ne 0100: 74 04 23 75 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d t.#uid=akhan,ou= 0110: 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c users,dc=zivios, 0120: 64 63 3d 6e 65 74 dc=net read1msg: ld 0x8d48288 msgid 4 message type search-entry ber_scanf fmt ({m) ber: ber_dump: buf=0x8d496d0 ptr=0x8d496d3 end=0x8d497f6 len=291 0000: 64 82 01 1f 04 26 63 6e 3d 65 63 6c 73 74 61 66 d....&cn=eclstaf 0010: 66 2c 6f 75 3d 67 72 6f 75 70 73 2c 64 63 3d 7a f,ou=groups,dc=z 0020: 69 76 69 6f 73 2c 64 63 3d 6e 65 74 30 81 f4 30 ivios,dc=net0..0 0030: 13 04 09 67 69 64 4e 75 6d 62 65 72 31 06 04 04 ...gidNumber1... 0040: 33 30 30 30 30 10 04 02 63 6e 31 0a 04 08 65 63 30000...cn1...ec 0050: 6c 73 74 61 66 66 30 81 ca 04 06 6d 65 6d 62 65 lstaff0....membe 0060: 72 31 81 bf 04 25 75 69 64 3d 6d 68 61 73 68 6d r1...%uid=mhashm 0070: 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 i,ou=users,dc=zi 0080: 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 vios,dc=net.#uid 0090: 3d 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c =fkhan,ou=users, 00a0: 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 dc=zivios,dc=net 00b0: 04 25 75 69 64 3d 6a 61 62 62 61 73 69 2c 6f 75 .%uid=jabbasi,ou 00c0: 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 =users,dc=zivios 00d0: 2c 64 63 3d 6e 65 74 04 25 75 69 64 3d 7a 73 68 ,dc=net.%uid=zsh 00e0: 61 69 6b 68 2c 6f 75 3d 75 73 65 72 73 2c 64 63 aikh,ou=users,dc 00f0: 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 =zivios,dc=net.# 0100: 75 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d 75 73 65 uid=akhan,ou=use 0110: 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d rs,dc=zivios,dc= 0120: 6e 65 74 net
dnPrettyNormal: <cn=eclstaff,ou=groups,dc=zivios,dc=net>
=> ldap_bv2dn(cn=eclstaff,ou=groups,dc=zivios,dc=net,0) <= ldap_bv2dn(cn=eclstaff,ou=groups,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=eclstaff,ou=groups,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=eclstaff,ou=groups,dc=zivios,dc=net)=0 <<< dnPrettyNormal: <cn=eclstaff,ou=groups,dc=zivios,dc=net>, <cn=eclstaff,ou=groups,dc=zivios,dc=net> ber_scanf fmt ({m) ber: ber_dump: buf=0x8d496d0 ptr=0x8d49702 end=0x8d497f6 len=244 0000: 30 13 04 09 67 69 64 4e 75 6d 62 65 72 31 06 04 0...gidNumber1.. 0010: 04 33 30 30 30 30 10 04 02 63 6e 31 0a 04 08 65 .30000...cn1...e 0020: 63 6c 73 74 61 66 66 30 81 ca 04 06 6d 65 6d 62 clstaff0....memb 0030: 65 72 31 81 bf 04 25 75 69 64 3d 6d 68 61 73 68 er1...%uid=mhash 0040: 6d 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a mi,ou=users,dc=z 0050: 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 ivios,dc=net.#ui 0060: 64 3d 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 d=fkhan,ou=users 0070: 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 ,dc=zivios,dc=ne 0080: 74 04 25 75 69 64 3d 6a 61 62 62 61 73 69 2c 6f t.%uid=jabbasi,o 0090: 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f u=users,dc=zivio 00a0: 73 2c 64 63 3d 6e 65 74 04 25 75 69 64 3d 7a 73 s,dc=net.%uid=zs 00b0: 68 61 69 6b 68 2c 6f 75 3d 75 73 65 72 73 2c 64 haikh,ou=users,d 00c0: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 c=zivios,dc=net. 00d0: 23 75 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d 75 73 #uid=akhan,ou=us 00e0: 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 ers,dc=zivios,dc 00f0: 3d 6e 65 74 =net ber_scanf fmt ([W]) ber: ber_dump: buf=0x8d496d0 ptr=0x8d4970f end=0x8d497f6 len=231 0000: 00 06 04 04 33 30 30 30 30 10 04 02 63 6e 31 0a ....30000...cn1. 0010: 04 08 65 63 6c 73 74 61 66 66 30 81 ca 04 06 6d ..eclstaff0....m 0020: 65 6d 62 65 72 31 81 bf 04 25 75 69 64 3d 6d 68 ember1...%uid=mh 0030: 61 73 68 6d 69 2c 6f 75 3d 75 73 65 72 73 2c 64 ashmi,ou=users,d 0040: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 c=zivios,dc=net. 0050: 23 75 69 64 3d 66 6b 68 61 6e 2c 6f 75 3d 75 73 #uid=fkhan,ou=us 0060: 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 ers,dc=zivios,dc 0070: 3d 6e 65 74 04 25 75 69 64 3d 6a 61 62 62 61 73 =net.%uid=jabbas 0080: 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 i,ou=users,dc=zi 0090: 76 69 6f 73 2c 64 63 3d 6e 65 74 04 25 75 69 64 vios,dc=net.%uid 00a0: 3d 7a 73 68 61 69 6b 68 2c 6f 75 3d 75 73 65 72 =zshaikh,ou=user 00b0: 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e s,dc=zivios,dc=n 00c0: 65 74 04 23 75 69 64 3d 61 6b 68 61 6e 2c 6f 75 et.#uid=akhan,ou 00d0: 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 =users,dc=zivios 00e0: 2c 64 63 3d 6e 65 74 ,dc=net ber_scanf fmt ({m) ber: ber_dump: buf=0x8d496d0 ptr=0x8d49717 end=0x8d497f6 len=223 0000: 30 10 04 02 63 6e 31 0a 04 08 65 63 6c 73 74 61 0...cn1...eclsta 0010: 66 66 30 81 ca 04 06 6d 65 6d 62 65 72 31 81 bf ff0....member1.. 0020: 04 25 75 69 64 3d 6d 68 61 73 68 6d 69 2c 6f 75 .%uid=mhashmi,ou 0030: 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 =users,dc=zivios 0040: 2c 64 63 3d 6e 65 74 04 23 75 69 64 3d 66 6b 68 ,dc=net.#uid=fkh 0050: 61 6e 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a an,ou=users,dc=z 0060: 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 25 75 69 ivios,dc=net.%ui 0070: 64 3d 6a 61 62 62 61 73 69 2c 6f 75 3d 75 73 65 d=jabbasi,ou=use 0080: 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d rs,dc=zivios,dc= 0090: 6e 65 74 04 25 75 69 64 3d 7a 73 68 61 69 6b 68 net.%uid=zshaikh 00a0: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 ,ou=users,dc=ziv 00b0: 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 3d ios,dc=net.#uid= 00c0: 61 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c 64 akhan,ou=users,d 00d0: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 c=zivios,dc=net ber_scanf fmt ([W]) ber: ber_dump: buf=0x8d496d0 ptr=0x8d4971d end=0x8d497f6 len=217 0000: 00 0a 04 08 65 63 6c 73 74 61 66 66 30 81 ca 04 ....eclstaff0... 0010: 06 6d 65 6d 62 65 72 31 81 bf 04 25 75 69 64 3d .member1...%uid= 0020: 6d 68 61 73 68 6d 69 2c 6f 75 3d 75 73 65 72 73 mhashmi,ou=users 0030: 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 ,dc=zivios,dc=ne 0040: 74 04 23 75 69 64 3d 66 6b 68 61 6e 2c 6f 75 3d t.#uid=fkhan,ou= 0050: 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c users,dc=zivios, 0060: 64 63 3d 6e 65 74 04 25 75 69 64 3d 6a 61 62 62 dc=net.%uid=jabb 0070: 61 73 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d asi,ou=users,dc= 0080: 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 25 75 zivios,dc=net.%u 0090: 69 64 3d 7a 73 68 61 69 6b 68 2c 6f 75 3d 75 73 id=zshaikh,ou=us 00a0: 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 ers,dc=zivios,dc 00b0: 3d 6e 65 74 04 23 75 69 64 3d 61 6b 68 61 6e 2c =net.#uid=akhan, 00c0: 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 ou=users,dc=zivi 00d0: 6f 73 2c 64 63 3d 6e 65 74 os,dc=net ber_scanf fmt ({m) ber: ber_dump: buf=0x8d496d0 ptr=0x8d49729 end=0x8d497f6 len=205 0000: 30 81 ca 04 06 6d 65 6d 62 65 72 31 81 bf 04 25 0....member1...% 0010: 75 69 64 3d 6d 68 61 73 68 6d 69 2c 6f 75 3d 75 uid=mhashmi,ou=u 0020: 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 sers,dc=zivios,d 0030: 63 3d 6e 65 74 04 23 75 69 64 3d 66 6b 68 61 6e c=net.#uid=fkhan 0040: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 ,ou=users,dc=ziv 0050: 69 6f 73 2c 64 63 3d 6e 65 74 04 25 75 69 64 3d ios,dc=net.%uid= 0060: 6a 61 62 62 61 73 69 2c 6f 75 3d 75 73 65 72 73 jabbasi,ou=users 0070: 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 ,dc=zivios,dc=ne 0080: 74 04 25 75 69 64 3d 7a 73 68 61 69 6b 68 2c 6f t.%uid=zshaikh,o 0090: 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f u=users,dc=zivio 00a0: 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 3d 61 6b s,dc=net.#uid=ak 00b0: 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d han,ou=users,dc= 00c0: 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 zivios,dc=net ber_scanf fmt ([W]) ber: ber_dump: buf=0x8d496d0 ptr=0x8d49734 end=0x8d497f6 len=194 0000: 00 81 bf 04 25 75 69 64 3d 6d 68 61 73 68 6d 69 ....%uid=mhashmi 0010: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 ,ou=users,dc=ziv 0020: 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 3d ios,dc=net.#uid= 0030: 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c 64 fkhan,ou=users,d 0040: 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 c=zivios,dc=net. 0050: 25 75 69 64 3d 6a 61 62 62 61 73 69 2c 6f 75 3d %uid=jabbasi,ou= 0060: 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c users,dc=zivios, 0070: 64 63 3d 6e 65 74 04 25 75 69 64 3d 7a 73 68 61 dc=net.%uid=zsha 0080: 69 6b 68 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d ikh,ou=users,dc= 0090: 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 zivios,dc=net.#u 00a0: 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 id=akhan,ou=user 00b0: 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e s,dc=zivios,dc=n 00c0: 65 74 et
dnPretty: <uid=mhashmi,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=mhashmi,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=mhashmi,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=mhashmi,ou=users,dc=zivios,dc=net)=0 <<< dnPretty: <uid=mhashmi,ou=users,dc=zivios,dc=net>
dnPretty: <uid=fkhan,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=fkhan,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=fkhan,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=fkhan,ou=users,dc=zivios,dc=net)=0 <<< dnPretty: <uid=fkhan,ou=users,dc=zivios,dc=net>
dnPretty: <uid=jabbasi,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=jabbasi,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=jabbasi,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jabbasi,ou=users,dc=zivios,dc=net)=0 <<< dnPretty: <uid=jabbasi,ou=users,dc=zivios,dc=net>
dnPretty: <uid=zshaikh,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=zshaikh,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=zshaikh,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=zshaikh,ou=users,dc=zivios,dc=net)=0 <<< dnPretty: <uid=zshaikh,ou=users,dc=zivios,dc=net>
dnPretty: <uid=akhan,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=akhan,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=akhan,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=akhan,ou=users,dc=zivios,dc=net)=0 <<< dnPretty: <uid=akhan,ou=users,dc=zivios,dc=net>
dnNormalize: <uid=mhashmi,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=mhashmi,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=mhashmi,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=mhashmi,ou=users,dc=zivios,dc=net)=0 <<< dnNormalize: <uid=mhashmi,ou=users,dc=zivios,dc=net>
dnNormalize: <uid=fkhan,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=fkhan,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=fkhan,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=fkhan,ou=users,dc=zivios,dc=net)=0 <<< dnNormalize: <uid=fkhan,ou=users,dc=zivios,dc=net>
dnNormalize: <uid=jabbasi,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=jabbasi,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=jabbasi,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jabbasi,ou=users,dc=zivios,dc=net)=0 <<< dnNormalize: <uid=jabbasi,ou=users,dc=zivios,dc=net>
dnNormalize: <uid=zshaikh,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=zshaikh,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=zshaikh,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=zshaikh,ou=users,dc=zivios,dc=net)=0 <<< dnNormalize: <uid=zshaikh,ou=users,dc=zivios,dc=net>
dnNormalize: <uid=akhan,ou=users,dc=zivios,dc=net>
=> ldap_bv2dn(uid=akhan,ou=users,dc=zivios,dc=net,0) <= ldap_bv2dn(uid=akhan,ou=users,dc=zivios,dc=net)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=akhan,ou=users,dc=zivios,dc=net)=0 <<< dnNormalize: <uid=akhan,ou=users,dc=zivios,dc=net> ber_scanf fmt ({xx) ber: ber_dump: buf=0x8d496d0 ptr=0x8d496d3 end=0x8d497f6 len=291 0000: 64 82 01 1f 04 26 63 6e 3d 65 63 6c 73 74 61 66 d....&cn=eclstaf 0010: 66 2c 6f 75 3d 67 72 6f 75 70 73 2c 64 63 3d 7a f,ou=groups,dc=z 0020: 69 76 69 6f 73 2c 64 63 3d 6e 65 74 00 81 f4 30 ivios,dc=net...0 0030: 13 04 09 67 69 64 4e 75 6d 62 65 72 00 06 04 04 ...gidNumber.... 0040: 33 30 30 30 30 10 04 02 63 6e 00 0a 04 08 65 63 30000...cn....ec 0050: 6c 73 74 61 66 66 30 81 ca 04 06 6d 65 6d 62 65 lstaff0....membe 0060: 72 00 81 bf 04 25 75 69 64 3d 6d 68 61 73 68 6d r....%uid=mhashm 0070: 69 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d 7a 69 i,ou=users,dc=zi 0080: 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 75 69 64 vios,dc=net.#uid 0090: 3d 66 6b 68 61 6e 2c 6f 75 3d 75 73 65 72 73 2c =fkhan,ou=users, 00a0: 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 dc=zivios,dc=net 00b0: 04 25 75 69 64 3d 6a 61 62 62 61 73 69 2c 6f 75 .%uid=jabbasi,ou 00c0: 3d 75 73 65 72 73 2c 64 63 3d 7a 69 76 69 6f 73 =users,dc=zivios 00d0: 2c 64 63 3d 6e 65 74 04 25 75 69 64 3d 7a 73 68 ,dc=net.%uid=zsh 00e0: 61 69 6b 68 2c 6f 75 3d 75 73 65 72 73 2c 64 63 aikh,ou=users,dc 00f0: 3d 7a 69 76 69 6f 73 2c 64 63 3d 6e 65 74 04 23 =zivios,dc=net.# 0100: 75 69 64 3d 61 6b 68 61 6e 2c 6f 75 3d 75 73 65 uid=akhan,ou=use 0110: 72 73 2c 64 63 3d 7a 69 76 69 6f 73 2c 64 63 3d rs,dc=zivios,dc= 0120: 6e 65 74 net ldap_msgfree ldap_abandon_ext 4 do_abandon origid 4, msgid 4 ldap_msgdelete ld=0x8d48288 msgid=4 ber_flush2: 8 bytes to sd 12 0000: 30 06 02 01 05 50 01 04 0....P.. ldap_write: want=8, written=8 0000: 30 06 02 01 05 50 01 04 0....P.. ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_free_request (origid 4, msgid 4) send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=80 matched="" text="" --
The output is simply:
eclstaff:*:3000:mhashmi,fkhan,jabbasi,zshaikh,akhan
On the primary server however, I see all 4 group entries are sent during the request:
conn=1000 op=5 ENTRY dn="cn=eclstaff,ou=groups,dc=zivios,dc=net" conn=1000 op=5 ENTRY dn="cn=sysadmin,ou=groups,dc=zivios,dc=net" conn=1000 op=5 ENTRY dn="cn=mailadmin,ou=groups,dc=zivios,dc=net" conn=1000 op=5 ENTRY dn="cn=finance,ou=groups,dc=zivios,dc=net"
On the back-ldap server, probing a single group works, albeit, with the same err=80 being logged.
getent passwd & hosts works perfectly.
Please find below the relevant configuration sections of my primary slapd.conf, the back-ldap slapd.conf as well as sample user and group entries:
=== primary server slapd.conf === database hdb #overlay smbk5pwd overlay unique overlay nssov
suffix "dc=zivios,dc=net" rootdn "cn=admin,dc=zivios,dc=net" rootpw foo
# nssov config nssov-map group uniqueMember member nssov-ssd passwd ldap:///dc=zivios,dc=net??sub nssov-ssd group ldap:///dc=zivios,dc=net??sub nssov-ssd hosts ldap:///dc=zivios,dc=net??sub nssov-pam hostservice nssov-pam-session sshd nssov-pam-session login
=== Back-ldap slapd.conf === database ldap suffix dc=zivios,dc=net uri "ldap://dev02.zivios.net"
acl-bind bindmethod=simple binddn="" credentials=""
idassert-bind bindmethod=simple binddn="cn=admin,dc=zivios,dc=net" // just for testing... credentials="foo" mode=none flags=non-prescriptive
overlay nssov nssov-map group uniqueMember member nssov-ssd passwd ldap:///dc=zivios,dc=net??sub nssov-ssd group ldap:///dc=zivios,dc=net??sub nssov-ssd hosts ldap:///dc=zivios,dc=net??sub
nssov-pam hostservice nssov-pam-session sshd nssov-pam-session login
lastmod off
=== 2 sample groups === dn: cn=eclstaff,ou=groups,dc=zivios,dc=net objectClass: groupOfNames objectClass: posixGroup gidNumber: 3000 description: Emergen Staff cn: eclstaff member: uid=mhashmi,ou=users,dc=zivios,dc=net member: uid=fkhan,ou=users,dc=zivios,dc=net member: uid=jabbasi,ou=users,dc=zivios,dc=net member: uid=zshaikh,ou=users,dc=zivios,dc=net member: uid=akhan,ou=users,dc=zivios,dc=net
dn: cn=sysadmin,ou=groups,dc=zivios,dc=net objectClass: groupOfNames objectClass: posixGroup gidNumber: 3001 description: Administrator cn: sysadmin member: uid=mhashmi,ou=users,dc=zivios,dc=net member: uid=fkhan,ou=users,dc=zivios,dc=net
=== 2 sample users === dn: uid=mhashmi,ou=users,dc=zivios,dc=net cn: Mustafa Hashmi gidnumber: 3000 givenname: Mustafa homedirectory: /home/mhashmi objectclass: inetOrgPerson objectclass: posixAccount objectclass: shadowAccount ou: Users sn: Hashmi uid: mhashmi uidnumber: 5050 userpassword: foo
dn: uid=fkhan,ou=users,dc=zivios,dc=net cn: Faraz Khan gidnumber: 3000 givenname: Faraz homedirectory: /home/fkhan objectclass: inetOrgPerson objectclass: posixAccount objectclass: shadowAccount ou: Users sn: Khan uid: fkhan uidnumber: 5051 userpassword: foo ===
Please note: running a ldapsearch on the back-ldap server for groups works correctly and all entries are returned. I am at a bit of loss here -- if anyone can tell me how to debug this further, it would be greatly appreciated.
Many thanks, Mustafa.
I just compiled everything on Debian Lenny and back-ldap, nssov, pcache and all else is working perfectly. I'll try to figure out what the issue with Ubuntu Hardy is and post back if I can figure it out. Maybe I mangled something during the various attempts; apologies about the noise.
Mustafa
On Wed, Aug 4, 2010 at 5:36 PM, Mustafa A. Hashmi mahashmi@gmail.com wrote:
Hi all,
I am using Openldap 2.4.23 (on Ubuntu Hardy 8.04) to test nssov. Everything is working perfectly on the primary server, with user, group and host information being pulled from Openldap via nssov. Testing of authorized service / pam integration via slapd acls is also working correctly.
On another Ubuntu Hardy system I setup back-ldap and nssov, and though it works perfectly (including logins/acls, etc), there appears to be some issue when running:
getent group
*** truncated by sender.
It would be nice if it were /easy/ to identify how different distros compiled the various packages they include. I suspect that's likely the issue.
- chris
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Mustafa A. Hashmi Sent: Thursday, August 05, 2010 4:02 AM To: openldap-technical@openldap.org Subject: Re: Back-ldap and Nssov
I just compiled everything on Debian Lenny and back-ldap, nssov, pcache and all else is working perfectly. I'll try to figure out what the issue with Ubuntu Hardy is and post back if I can figure it out. Maybe I mangled something during the various attempts; apologies about the noise.
Mustafa
On Wed, Aug 4, 2010 at 5:36 PM, Mustafa A. Hashmi mahashmi@gmail.com wrote:
Hi all,
I am using Openldap 2.4.23 (on Ubuntu Hardy 8.04) to test nssov. Everything is working perfectly on the primary server, with user, group and host information being pulled from Openldap via nssov. Testing of authorized service / pam integration via slapd acls is also working correctly.
On another Ubuntu Hardy system I setup back-ldap and nssov, and though it works perfectly (including logins/acls, etc), there appears to be some issue when running:
getent group
*** truncated by sender.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org