Hi everyone We are having trouble since we have updated from version 1.1.3 to 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. When we try to make "getent group", we only get one group and its members, but no the rest of the groups (should be more than 1000 groups). In the logs of dirsrv, we get the following error: [03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection from XXXXX to XXXXX [03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES [03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3 [03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=application manager,cn=config" [03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2 filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid uniqueMember gidNumber" [03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" *[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer reports incorrect Message Authentication Code.* [03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection from XXXXX to XXXXX [03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES [03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application Manager,cn=config" method=128 version=3 [03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=application manager,cn=config" [03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass" [03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 nentries=1 etime=0 The following UIDs search after the group, are the members of the first group returned by the group search. The command "getent passwd" works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 or 1.2.5 (tested in 6 different servers). If we configure the LDAP client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested in 4 different servers), the command "getent group" works fine, and no errors are shown in the log. The client configuration is always the same, just changing the LDAP server. These are the configuration files: /etc/ldap.conf uri ldaps://XXXXXX base dc=XXXXXX,dc=XXXXXX ldap_version 3 binddn cn=Application Manager,cn=config bindpw XXXXXX ssl on sasl_secprops maxssf=0 tls_cacertdir /etc/openldap/cacerts tls_cacert /etc/openldap/cacerts/cert-CA-cacert.pem timelimit 20 bind_timelimit 20 idle_timelimit 3600 nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub nss_base_passwd dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) nss_base_shadow dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data pam_password clear /etc/openldap/ldap.conf URI ldaps://XXXXXX BASE dc=XXXXXX,dc=XXXXXX TLS_CACERTDIR /etc/openldap/cacerts TLS_CACERT /etc/openldap/cacerts/cert-CA-cacert.pem TLS_REQCERT allow /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100503/a7dab8e9/attachment.html
