On Wed, 2015-03-11 at 19:27 -0600, Daniel Fussell wrote: > Running nslcd on sid generally works, but is not able to get group > names from ldap, reporting the following errors when requesting > information on a user with the id command: > > nslcd: [9478fe] DEBUG: connection from pid=2735 uid=2345 gid=4274 > nslcd: [9478fe] <group=1217> DEBUG: > myldap_search(base="ou=groups,ou=<removed>, > dc=<removed>,dc=<removed>,dc=<removed>", > filter="(&(objectClass=posixGroup)(gidNumber=1217))") > nslcd: [9478fe] <group=1217> ldap_result() failed: Protocol error: paged > results control could not be decoded [...] > Installing nslcd from wheezy and running "nslcd -d" shows all queries working > with the same nslcd.conf, and all names resolve properly.
Can you provide some information on the LDAP server used? The only relevant difference I can think of between 0.8 and 0.9 versions of nss-pam-ldapd is that 0.9 requests an additional control from the LDAP server for group queries. This is currently not configurable because the LDAP server is supposed to ignore controls it doesn't understand. If you are not using the member attribute in group searches you could set map group member "" as a workaround in nslcd.conf to disable member attribute expansion altogether. Kind regards, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
