Date: Mon, 18 May 2015 13:06:45 +0200 (CEST) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: FreeBSD questions <freebsd-questions@freebsd.org> Subject: sysutils/screen and net/nss_ldap on stable/10, and LDAP on Novell NetWare 6.5 SP8 Message-ID: <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no>
next in thread | raw e-mail | index | archive | help
Hi, I decided to upgrade one of my production systems from stable/8, to stable/9, and finally to stable/10. All is well, except sysutils/screen. GNU screen is the only software not capable of using LDAP after the upgrade. I didn't recompile the ports while the system ran stable/9, only after upgrading to stable/10. I've traced the problem down to net/nss_ldap and getpwuid(). Luckily, this production system isn't in high demand, and only I use GNU screen on this system. The log facility user is filled with: May 18 10:40:24 <user.info> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap1.fqdn/: Can't contact LDAP server May 18 10:40:24 <user.info> [HOSTNAME] screen: nss_ldap: failed to bind to LDAP server ldaps://ldap2.fqdn/: Can't contact LDAP server To save some effort: /usr/local/etc/ldap.conf is symlinked to openldap/ldap.conf /usr/local/etc/ldap.secret is symlinked to openldap/ldap.secret /usr/local/etc/nss_ldap.conf is symlinked to ldap.conf (see above) /usr/local/etc/openldap/ldap.conf contains roughly: uri ldaps://ldap1.fqdn/ ldaps://ldap2.fqdn/ base O=XXX scope sub tls_cacert /etc/ssl/certs/somecert.cer ssl on ldap_version 3 binddn CN=[someproxyuser],OU=Proxyusers,O=XXX bindpw [WITHHELD] rootbinddn CN=[administrativeAccount],OU=YYY,O=XXX timeout 15 network_timeout 15 pam_login_attribute uid pam_password nds nss_base_passwd OU=ZZZ,O=XXX nss_base_shadow OU=ZZZ,O=XXX nss_base_groups OU=Unixgroups,O=XXX ldap1.fqdn and ldap2.fqdn runs Novell NetWare 6.5 SP8. GNU screen works flawless with locally defined users. Login, both console and SSH, using LDAP defined users and groups works flawlessly, and the same goes for long listing of directories (ls -l). I noticed net/nss-pam-ldapd in the ports collection. Is it worth the effort to switch from net/nss_ldap to net/nss-pam-ldapd? -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ From owner-freebsd-questions@FreeBSD.ORG Mon May 18 11:30:53 2015 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A3BEE990 for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 11:30:53 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3112B18CE for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 11:30:53 +0000 (UTC) Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.1/8.15.1) with ESMTPSA id t4IBUiKC021068 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <freebsd-questions@freebsd.org>; Mon, 18 May 2015 12:30:46 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk t4IBUiKC021068 Authentication-Results: smtp.infracaninophile.co.uk/t4IBUiKC021068; dkim=none reason="no signature"; dkim-adsp=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be zero-gravitas.local Message-ID: <5559CD42.1070708@FreeBSD.org> Date: Mon, 18 May 2015 12:30:10 +0100 From: Matthew Seaman <matthew@FreeBSD.org> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: sysutils/screen and net/nss_ldap on stable/10, and LDAP on Novell NetWare 6.5 SP8 References: <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no> In-Reply-To: <alpine.BSF.2.20.1505181238110.12303@mail.fig.ol.no> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 18 May 2015 11:30:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/05/18 12:06, Trond Endrest=F8l wrote: > I noticed net/nss-pam-ldapd in the ports collection. Is it worth the=20 > effort to switch from net/nss_ldap to net/nss-pam-ldapd? I've tried both nss_ldap and nss-pam-ldapd and I prefer the latter -- it is build around a pretty nice 'nslcd' caching daemon and seems to run more smoothly in general than nss_ldap. Plus only one config file to hookup both pam and nsswitch to LDAP, and it understands LDAP service autodiscovery via SRV records. Cheers, Matthew --rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJVWc1CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTntAAP/jslPR60bCWHaAkMpsvrU1rZ vgrSOTe8AavwSnrkuxbEC0rYeowS2rb9xViXAWBqu4wFbfkHhj2dEFodWt41ujTX JpAFOAgIgOrL3ILn36iE/lW7ioS8+G9Z6EbhsQRygMOs/ijTGtePmCOhLMNpRiTY h5Jvq8NQFu8nHlAKEoZuNoWW9PnHsplwE6gbCaSvZlit3X1fuAhHbk3EujhB/467 xqFHY3/M5UP28c5ckZoV/YRN4jdYOk7BqU1E2W9THo2iem0dXpeMvbVp6CMjKu8V u0oEjiHQtzRAtZma3OHNoRfThOywq7dYuH/4O00hcpMFYyC4mU5TR3HZvDmJF9w+ qZlH4jCwPC1aBL7XgSlrb3+rKxvhIiDDg471atPGMVKb/q3udPIJZ8sQz6iLu24Z h1YDCo3QZIJJBuefPsJfrzIO2rK/FWZwO3iO18R9AAiWb/rrN336RAzy5fkCAymr N6dCGqhHQvAgsUqTwUMY7Fi4cubmDo4f+ucDD+RCsqHbXaGZDzQxggQzDMEYDs8u IGui4xKVZPg6pBIZcOnJtEFjBFPrswF6B43LCosWVEvhDYesVzXcGBfu4WdSWorv kjFBHBXSUGS0E9wlESldHANk6e9v1G8VoY0bpjo1qWALD/T02ET2hyj7UgFK/BCT KDImplbE5lqU/UN5qIZ/ =CZp8 -----END PGP SIGNATURE----- --rE0EIXGX2FiCPDm9bdvHBubsVlj3sies0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1505181238110.12303>