Juan Asensio Sánchez wrote: > Hi everyone > > We are having trouble since we have updated from version 1.1.3 to > 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. > When we try to make "getent group", we only get one group and its > members, but no the rest of the groups (should be more than 1000 groups). What platform? 32-bit or 64-bit? How many groups? Do you only get this error when you attempt a search to return this many groups? > In the logs of dirsrv, we get the following error: > > [03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection > from XXXXX to XXXXX > [03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES > [03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn="cn=Application > Manager,cn=config" method=128 version=3 > [03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=application manager,cn=config" > [03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH > base="ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=2 > filter="(&(objectClass=posixGroup))" attrs="cn userPassword memberUid > uniqueMember gidNumber" > [03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH > base="uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 > filter="(objectClass=*)" attrs="uid uniqueMember objectClass" > *[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer > reports incorrect Message Authentication Code.* > [03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection > from XXXXX to XXXXX > [03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES > [03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn="cn=Application > Manager,cn=config" method=128 version=3 > [03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 > nentries=0 etime=1 dn="cn=application manager,cn=config" > [03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH > base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 > filter="(objectClass=*)" attrs="uid uniqueMember objectClass" > [03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH > base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 > filter="(objectClass=*)" attrs="uid uniqueMember objectClass" > [03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH > base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 > filter="(objectClass=*)" attrs="uid uniqueMember objectClass" > [03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH > base="uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX" scope=0 > filter="(objectClass=*)" attrs="uid uniqueMember objectClass" > [03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 > nentries=1 etime=0 > > The following UIDs search after the group, are the members of the > first group returned by the group search. The command "getent passwd" > works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 > or 1.2.5 (tested in 6 different servers). If we configure the LDAP > client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested > in 4 different servers), the command "getent group" works fine, and no > errors are shown in the log. The client configuration is always the > same, just changing the LDAP server. > > These are the configuration files: > > /etc/ldap.conf > > uri ldaps://XXXXXX > base dc=XXXXXX,dc=XXXXXX > ldap_version 3 > > binddn cn=Application Manager,cn=config > bindpw XXXXXX > > ssl on > sasl_secprops maxssf=0 > tls_cacertdir /etc/openldap/cacerts > tls_cacert /etc/openldap/cacerts/cert-CA-cacert.pem > > timelimit 20 > bind_timelimit 20 > idle_timelimit 3600 > > nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one > nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub > nss_base_passwd > dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) > nss_base_shadow > dc=XXXXXX,dc=XXXXXX?sub?&(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers)) > > nss_initgroups_ignoreusers > avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data > pam_password clear > > > /etc/openldap/ldap.conf > > URI ldaps://XXXXXX > BASE dc=XXXXXX,dc=XXXXXX > > TLS_CACERTDIR /etc/openldap/cacerts > TLS_CACERT /etc/openldap/cacerts/cert-CA-cacert.pem > TLS_REQCERT allow > > > /etc/nsswitch.conf > > passwd: files ldap > shadow: files ldap > group: files ldap > > hosts: files dns > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: nisplus > > publickey: nisplus > > automount: files nisplus > aliases: files nisplus > > Regards. > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
