On Mon, 2011-03-07 at 18:43 -0800, Chris Hiestand wrote: > The passwd command is failing when consumer (slave) ldap servers are > specified before provider (master) ldap servers in nslcd.conf.
Thanks for the bugreport and sorry for not following up sooner. Do you know if this works with the traditional pam_ldap? It would seam that the OpenLDAP library is not chasing referrals correctly for some reason. > Syslog: > 2011-03-07T16:28:12-08:00 host authpriv debug passwd passwd[23236]: > pam_ldap(passwd:chauthtok): nslcd authentication; user=username > 2011-03-07T16:28:12-08:00 host authpriv debug passwd passwd[23236]: > pam_ldap(passwd:chauthtok): authentication succeeded > 2011-03-07T16:28:17-08:00 host authpriv debug passwd passwd[23236]: > pam_ldap(passwd:chauthtok): nslcd password modify; user=username > 2011-03-07T16:28:17-08:00 host authpriv notice passwd passwd[23236]: > pam_ldap(passwd:chauthtok): password change failed: Referral; user=username > 2011-03-07T16:28:17-08:00 host authpriv debug passwd passwd[23236]: > pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd > 2011-03-07T16:28:17-08:00 host daemon warning nslcd nslcd[22889]: [5558ec] > ldap_start_tls_s() failed: Local error (uri="ldaps://ldapmaster.my.tld:636") > 2011-03-07T16:28:17-08:00 host daemon err nslcd nslcd[22889]: [5558ec] > ldap_passwd_s() without old password failed: Referral > 2011-03-07T16:28:17-08:00 host daemon warning nslcd nslcd[22889]: [5558ec] > ldap_start_tls_s() failed: Local error (uri="ldaps://ldapmaster.my.tld:636") > 2011-03-07T16:28:17-08:00 host daemon err nslcd nslcd[22889]: [5558ec] > ldap_passwd_s() with old password failed: Referral Can you run nslcd in debugging mode to get a little more detail on what is going on? It seems that it does attempt to connect to the master but initialising TLS fails. Could you include some more details on your config? From the logs above it seems that you are mixing ldaps:// with StartTLS. I think nslcd may be trying to use StartTLS on an ldaps:// connection. Perhaps the slave should provide a referral with ldap:// instead? -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
