On Wed, 15.04.2009 at 12:14:48 -0700, Benjamin Lee wrote:
On 04/15/2009 01:33 AM, Konrad Heuer wrote:
I see a problem on two systems running FreeBSD 7.0 or 7.1 which are
configured as OpenLDAP clients using the nss_ldap module.
When someone logs on using ssh protocol version 2 the session will not
be initialized correctly. The user will only get his primary group
affiliation but no affiliation to other groups (memberUid attribute in
LDAP group entries).
On 7.1 the ssh login process hangs forever with open ldap queries, on
7.0 the group list is incomplete. On several 6.x systems, all works
correctly.
I have used the configuration for years now.
There are some workarounds I found:
a) use ssh protocol version 1
b) set UseLogin to yes in sshd_config
c) avoid ssl encryption in communication to ldap server
(ldap://... uri instead of ldaps://... in ldap.conf)
Does anybody see similar problems? Does anybody have an idea what may
couse the problem?
I recently submitted ports/133501 regarding this issue, but I have not
yet received a response.
My workaround was to disable pthread_atfork support, so the problem
might be related to the change from libkse to libthr in RELENG_7.
I tried your patch to see if it made any change for the nss_ldap UNIX
socket leak, but sadly no change. I never observed the SSH2 problems you
guys mention, but then again I'm usually using key authentication.
I'll run with the patch anyway and see if it makes any change to the
problem where login(1) is only able to authenticate me after 30s of
idling.
Cheers,
Ulrich Spörlein
--
None are more hopelessly enslaved than those who falsely believe they are free
-- Johann Wolfgang von Goethe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
