Hi Guys,

I'm having a pretty weird problem, and really have no idea where to begin in tracing and fixing it. But here goes.

I'm running Ubuntu 10.10 on 2 machines, and have installed OpenLDAP as per the guide https://help.ubuntu.com/10.10/server...ap-server.html it all seemed to be going well having it installed and running on Server A, including authentication. So a few days later I decided to setup server B to be a slave replica. Which after a little bit of fiddling seems to working and keeping the records in sync.

Then I did an apt-get upgrade on server A. then my problem started.

Basically getent passwd, only returns one entry from the LDAP and so does getent group.
But a search of LDAP returns everything that's there.

I've been comparing the config files between Server A and Server A for PAM etc, and everything is the same.

but if I change ldap.conf on server A to point the uri ldap://server B/ and rerun getent passwd it returns all the users and getent group returns all the groups.

I've compared the LDAP entries between Server A and Server B and they're staying in sync.

It looks like it's more to do with ldap than the auth config if just changing the server fixes it, but as server A is the master LDAP server I'm really at a loss.

Server A - Ubuntu 10.10 (Upgraded from originally 8.04 I believe)

# dpkg -l | grep -i openldap
ii ldap-utils 2.4.21-0ubuntu5.3 OpenLDAP utilities
ii libldap-2.4-2 2.4.21-0ubuntu5.3 OpenLDAP libraries
ii slapd 2.4.21-0ubuntu5.3 OpenLDAP server (slapd)

Server B - Ubuntu 10.10 (Fresh install)

c# dpkg -l | grep -i openldap
ii ldap-utils 2.4.23-0ubuntu3.4 OpenLDAP utilities
ii libldap-2.4-2 2.4.23-0ubuntu3.4 OpenLDAP libraries
ii slapd 2.4.23-0ubuntu3.4 OpenLDAP server (slapd)


If getent was only returning local users it'd be something, but it's returning local + 1 LDAP user or 1 group. Which just seems weird.

Any help would be greatly appreciated. I'm sure posting some logs would be helpful, but I have no idea which so if someone can let me know what extra info would be more helpful I'll post it back asap.

Thanks in advance.

In general i'd say you could do with manually recreating what it's being asked for and inspecting the raw data. You can see the queries in the server side log file assuming it it's configured accordingly, our if you're not using ssl / tls you can use a tool like wireshark to see the while conversation as it happened across the network. By doing that you'll probably see a missing attribute that stops it being able to be used as a valid posix account. Often you can see the account being returned but not coming out of the end of a getent passwd which would suggest something about the data is incomplete or invalid.