2 Replies Latest reply: Jan 7, 2010 2:44 PM by 807567 RSS

    LDAP passwd search paths

    807567
      Using Solaris 10 client to SunOne Directory Server.

      I have two posixAccounts in LDAP with the same uid in two different trees. I would like the searchpath to succeed and return after finding the first match, but instead it finds them both and complains.

      ldap_client_file
      ---------------------------
      NS_LDAP_FILE_VERSION= 2.0
      NS_LDAP_SERVERS= xxx.xxx.xxx.xx
      NS_LDAP_SEARCH_BASEDN= dc=mathcs,dc=emory,dc=edu
      NS_LDAP_AUTH= tls:simple
      NS_LDAP_SEARCH_REF= FALSE
      NS_LDAP_SEARCH_SCOPE= sub
      NS_LDAP_SEARCH_TIME= 30
      NS_LDAP_CACHETTL= 43200
      NS_LDAP_PROFILE= tls-default
      NS_LDAP_CREDENTIAL_LEVEL= proxy
      NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=mathcs,dc=emory,dc=edu;ou=people,dc=students,dc=mathcs,dc=emory,dc=edu
      NS_LDAP_BIND_TIME= 10


      Error in /var/adm/messages
      --------------------------------------------------
      Nov 15 16:39:19 xxxxx sshd[1527]: [ID 293258 auth.warning] libsldap: Status: 7 Mesg: Too many entries are returned for xxxxx

      Does anyone know a solution?
        • 1. Re: LDAP passwd search paths
          807567
          I know this is an old post, but we have the same problem, and I can't find any solution or workaround. Some of our users have entries with same user id in both ou=ansatt and ou=student, but most users have only one entry.
          On some servers we want to permit users in both ou=ansatt and ou=student to log in. If we use this client configuration:

          NS_LDAP_FILE_VERSION= 2.0
          NS_LDAP_SERVERS= xxx yyy zzz
          NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
          NS_LDAP_AUTH= none;tls:simple;sasl/DIGEST-MD5
          NS_LDAP_SEARCH_REF= TRUE
          NS_LDAP_SEARCH_SCOPE= sub
          NS_LDAP_SEARCH_TIME= 30
          NS_LDAP_CACHETTL= 43200
          NS_LDAP_PROFILE= felles
          NS_LDAP_CREDENTIAL_LEVEL= anonymous
          NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=ansatt,ou=people,dc=example,dc=com;ou=student,
          ou=people,dc=example,dc=com?sub
          NS_LDAP_BIND_TIME= 10
          NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
          NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
          NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple

          the users with entries in both ou=ansatt and ou=student are refused to log in via ssh, and the log shows:

          libsldap: Status: 7 Mesg: Too many entries are returned for <user>

          Is there a way to solve this? The way we want it to work is: Log in using the entry in ou=ansatt if it exists, else use the entry in ou=student.
          • 2. Re: LDAP passwd search paths
            807567
            This is why unique uids are preferred. Any particular reason the uid exists in both
            paths? If the user is a student in the CS department, I would just leave them in
            the ou=People,dc=students OU. Or, dispense with the student OU and make it
            a Group or Netgroup. If, however, the users are actually two distinct people, then
            you should either rename one uid, or change how you filter out things.

            Ian