I think this may have fixed it. In my ldap.conf I had:
URI ldap://127.0.0.1/
I changed it to the host name:
URI ldap://narf.com/
I restarted slapd and now they are consistent.
From: Rodney Simioni Sent: Friday, March 08, 2013 4:14 PM To: openldap-technical@openldap.org Subject: getent passwd inconsistent loginShell with ldapsearch
Hi,
When I do a 'getent check72 passwd' I get:
check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash
But when I do a ldapsearch command I get:
# check72, people, wh.local
dn: uid=check72,ou=people,dc=wh,dc=local
uid: check72
cn: Johnny Appleseed
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k=
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
uidNumber: 6072
gidNumber: 6072
homeDirectory: /home/check72
loginShell: /bin/noshell
# check72, group, wh.local
dn: cn=check72,ou=group,dc=wh,dc=local
objectClass: posixGroup
objectClass: top
cn: check72
gidNumber: 6072
userPassword:: e0NSWVBUfXg=
# search result
search: 2
result: 0 Success
I have rstarted slapd and nscd, any clue? Thanks in advance.
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
That didn’t fix it, getent and ldapsearch is still inconsistent.
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Rodney Simioni Sent: Friday, March 08, 2013 4:27 PM To: openldap-technical@openldap.org Subject: RE: getent passwd inconsistent loginShell with ldapsearch
I think this may have fixed it. In my ldap.conf I had:
URI ldap://127.0.0.1/
I changed it to the host name:
URI ldap://narf.com/
I restarted slapd and now they are consistent.
From: Rodney Simioni Sent: Friday, March 08, 2013 4:14 PM To: openldap-technical@openldap.org Subject: getent passwd inconsistent loginShell with ldapsearch
Hi,
When I do a ‘getent check72 passwd’ I get:
check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash
But when I do a ldapsearch command I get:
# check72, people, wh.local
dn: uid=check72,ou=people,dc=wh,dc=local
uid: check72
cn: Johnny Appleseed
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k=
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
uidNumber: 6072
gidNumber: 6072
homeDirectory: /home/check72
loginShell: /bin/noshell
# check72, group, wh.local
dn: cn=check72,ou=group,dc=wh,dc=local
objectClass: posixGroup
objectClass: top
cn: check72
gidNumber: 6072
userPassword:: e0NSWVBUfXg=
# search result
search: 2
result: 0 Success
I have rstarted slapd and nscd, any clue? Thanks in advance.
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 08/03/2013 21:41, Rodney Simioni wrote:
That didn’t fix it, getent and ldapsearch is still inconsistent.
Firstly, switch off nscd altogether when tracking down these problems, it will only get in the way and cause confusion.
As there's a mismatch between the user's shell in the two outputs, and assuming that your ldapsearch is definitely querying what ldap.conf is configured to look at, then I'd guess that you have an entry for this user in /etc/passwd.
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
It's still inconsistent.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Monday, March 11, 2013 5:42 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 08/03/2013 21:41, Rodney Simioni wrote:
That didn’t fix it, getent and ldapsearch is still inconsistent.
Firstly, switch off nscd altogether when tracking down these problems, it will only get in the way and cause confusion.
As there's a mismatch between the user's shell in the two outputs, and assuming that your ldapsearch is definitely querying what ldap.conf is configured to look at, then I'd guess that you have an entry for this user in /etc/passwd.
Did you check your local passwd file?
On Mar 11, 2013, at 5:41 PM, "Rodney Simioni" rodney.simioni@verio.net wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
It's still inconsistent.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Monday, March 11, 2013 5:42 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 08/03/2013 21:41, Rodney Simioni wrote:
That didn’t fix it, getent and ldapsearch is still inconsistent.
Firstly, switch off nscd altogether when tracking down these problems, it will only get in the way and cause confusion.
As there's a mismatch between the user's shell in the two outputs, and assuming that your ldapsearch is definitely querying what ldap.conf is configured to look at, then I'd guess that you have an entry for this user in /etc/passwd.
-- Liam Gretton liam.gretton@le.ac.uk Systems Specialist http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
Yes, I did.
-----Original Message----- From: Michael Starling [mailto:mlstarling31@hotmail.com] Sent: Monday, March 11, 2013 5:44 PM To: Rodney Simioni Cc: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
Did you check your local passwd file?
On Mar 11, 2013, at 5:41 PM, "Rodney Simioni" rodney.simioni@verio.net wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
It's still inconsistent.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Monday, March 11, 2013 5:42 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 08/03/2013 21:41, Rodney Simioni wrote:
That didn’t fix it, getent and ldapsearch is still inconsistent.
Firstly, switch off nscd altogether when tracking down these problems, it will only get in the way and cause confusion.
As there's a mismatch between the user's shell in the two outputs, and assuming that your ldapsearch is definitely querying what ldap.conf is configured to look at, then I'd guess that you have an entry for this user in /etc/passwd.
-- Liam Gretton liam.gretton@le.ac.uk Systems Specialist http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 11/03/2013 21:26, Rodney Simioni wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
Wrong ldap.conf. What's in /etc/ldap.conf and are you absolutely sure that the user doesn't exist in /etc/passwd?
Also what's in /etc/nsswitch.conf for the passwd entry?
I don't have a /etc/ldap.conf. I have a /etc/openldap/ldap.conf.
I'm sure my ldap users do not exist in /etc/passwd.
Nscd is disabled.
/etc/nsswitch.conf has:
passwd: files sss ldap shadow: files sss ldap
my sssd.conf is:
[domain/default]
ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=wh,dc=local krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://127.0.0.1/ ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap ldap_access_filter = host=localhost ldap_pwd_policy = shadow
[sssd] services = nss, pam, ssh config_file_version = 2 domains = default, local
[nss]
[pam]
[ssh]
[sudo]
[autofs]
Thank you. -----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Tuesday, March 12, 2013 5:00 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 11/03/2013 21:26, Rodney Simioni wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
Wrong ldap.conf. What's in /etc/ldap.conf and are you absolutely sure that the user doesn't exist in /etc/passwd?
Also what's in /etc/nsswitch.conf for the passwd entry?
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Tuesday, March 12, 2013 5:00 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 11/03/2013 21:26, Rodney Simioni wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
Wrong ldap.conf. What's in /etc/ldap.conf and are you absolutely sure that the user doesn't exist in /etc/passwd?
Also what's in /etc/nsswitch.conf for the passwd entry?
On 03/12/13 09:55 -0400, Rodney Simioni wrote:
I don't have a /etc/ldap.conf. I have a /etc/openldap/ldap.conf.
I'm sure my ldap users do not exist in /etc/passwd.
Nscd is disabled.
/etc/nsswitch.conf has:
passwd: files sss ldap shadow: files sss ldap
You have two ldap related nss modules, which might explain your inconsistency. Try removing ldap.
my sssd.conf is:
[domain/default]
ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=wh,dc=local krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://127.0.0.1/ ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap ldap_access_filter = host=localhost ldap_pwd_policy = shadow
[sssd] services = nss, pam, ssh config_file_version = 2 domains = default, local
[nss]
[pam]
[ssh]
[sudo]
[autofs]
I removed ldap from nsswitch.conf. I restarted slapd and sssd.
There is still inconsistencies between getent and ldapsearch:
[root@rodster sssd]# getent passwd meathead08 meathead08:*:343108:343108:Johnny Appleseed:/home/meathead08:/bin/noshell
ldapsearch -w xxxx -D "cn=manager,dc=wh,dc=local" homeDirectory: /home/meathead08 loginShell: /bin/bash
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam Gretton Sent: Tuesday, March 12, 2013 5:00 AM To: openldap-technical@openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 11/03/2013 21:26, Rodney Simioni wrote:
I disabled nscd. Here's my ldap.conf
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts #URI ldap://127.0.0.1/ URI ldap://127.0.0.1/ BASE dc=wh,dc=local port 389
Wrong ldap.conf. What's in /etc/ldap.conf and are you absolutely sure that the user doesn't exist in /etc/passwd?
Also what's in /etc/nsswitch.conf for the passwd entry?
On 03/12/13 09:55 -0400, Rodney Simioni wrote:
I don't have a /etc/ldap.conf. I have a /etc/openldap/ldap.conf.
I'm sure my ldap users do not exist in /etc/passwd.
Nscd is disabled.
/etc/nsswitch.conf has:
passwd: files sss ldap shadow: files sss ldap
You have two ldap related nss modules, which might explain your inconsistency. Try removing ldap.
my sssd.conf is:
[domain/default]
ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=wh,dc=local krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://127.0.0.1/ ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap ldap_access_filter = host=localhost ldap_pwd_policy = shadow
[sssd] services = nss, pam, ssh config_file_version = 2 domains = default, local
[nss]
[pam]
[ssh]
[sudo]
[autofs]
-- Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 03/12/13 10:19 -0400, Rodney Simioni wrote:
I removed ldap from nsswitch.conf. I restarted slapd and sssd.
There is still inconsistencies between getent and ldapsearch:
[root@rodster sssd]# getent passwd meathead08 meathead08:*:343108:343108:Johnny Appleseed:/home/meathead08:/bin/noshell
ldapsearch -w xxxx -D "cn=manager,dc=wh,dc=local" homeDirectory: /home/meathead08 loginShell: /bin/bash
/etc/nsswitch.conf has:
passwd: files sss ldap shadow: files sss ldap
Your problem does not appear to be openldap related.
Try alternatively removing 'files' and 'sss' from your nsswitch.conf file, and then running getent again. If the problem persists in both scenarios, then you've got a caching issue. If the problem exists in only one of the cases, then you know who to blame.
openldap-technical@openldap.org
-
Dan White -
Liam Gretton -
Michael Starling -
Rodney Simioni