# [solved] nsswitch.conf ldap nss_ldap-249

## loux.thefuture

Hello,

everything were good

but today i have a problem with nss_ldap (i emerge nss_ldap-249)

when i shutdown slapd

i'm not able to do "su ldap" anymore,

my nsswitch.conf is : xxx compact ldap

and ldap is in my /etc/passwd file

but nss_ldap try to bind 4 seconds, 8 seconds, ...

i found that nss_ldap-249 has a trouble with it

so i emerge nss_ldap-239-r1 and everything goes right

so make be careful with nss_ldap-249

loux

----------

## c0vert

hmm, I had the same problem.  THanks

----------

## jayjay

Damn,

took me a lot of time this afternoon to find out!

I did an "emerge -e world" last night and after 

that ldap was broken.

sys-auth/nss_ldap-249 is broken.

Cheers JJ

----------

## robbat2

Would each of you please file seperate bugs, assigned straight to ldap-bugs@gentoo.org?

Also, consider bug #134473.

249 works for me, and at least one other user (once he changed his configuration).

Include:

1. The uncommented lines from /etc/ldap.conf

2. emerge --info

3. Uncommented lines from: /etc/ssh/sshd_config

4. Uncommented lines from: /etc/pam.d/system-auth

5. Uncommented lines from: /etc/nsswitch.conf

Using the data from ldap.conf, construct your version of this, and show me the command and the output

```
ldapsearch -v -x -b ${nss_base_passwd} -s one -h ${host} uid=${username}
```

OR

```
ldapsearch -v -x -b ${nss_base_passwd} -s one -H ${uri} uid=${username}
```

Use the first variant if you use a 'host' line in ldap.conf, and the second one if you use 'uri'.

----------

## Hagar

I've experienced the same behaviour back when 249 was introduced to ~amd64.

At the time I didn't feel like diving into it so I masked it and kept using 239.

But now the 250 release bit me again and I started to look around for some information.

I'll post some details to the bugreport that brought me here tomorrow ( https://bugs.gentoo.org/show_bug.cgi?id=134966 )

But I do want to share one thing:

```
# genlop -t nss_ldap

 * sys-auth/nss_ldap

     Mon Jul 25 17:11:10 2005 >>> sys-auth/nss_ldap-239-r1

       merge time: 1 minute and 49 seconds.

     Mon Jul 25 21:11:57 2005 >>> sys-auth/nss_ldap-239-r1

       merge time: 1 minute and 34 seconds.

     Sat Feb 25 15:39:09 2006 >>> sys-auth/nss_ldap-249

       merge time: 39 minutes and 31 seconds.

     Sun Feb 26 12:23:19 2006 >>> sys-auth/nss_ldap-239-r1

       merge time: 1 minute and 44 seconds.

     Tue May 30 18:33:27 2006 >>> sys-auth/nss_ldap-250

       merge time: 40 minutes and 58 seconds.
```

Howcome the releases after 239 have such ridiculous high merge times?

Edit: Ok that last question answered itself after merging nss_ldap with the debug flag.

It seems it tries to bind to the ldap server before merging.

----------

## robbat2

Everybody here with problem, if you have a line that starts with 'ssl' in your /etc/ldap.conf, please remove it for using nss_ldap-250!

This was confirmed in bug 134473: https://bugs.gentoo.org/show_bug.cgi?id=134473

If you have long boot times, see: https://bugs.gentoo.org/show_bug.cgi?id=99564

----------

## loux.thefuture

Hello,

the lines in /etc/ldap.conf for ssl are :

ssl start_tls

ssl on

is it good ?

loux

PS : why disabling it resolve the trouble ?

----------

## robbat2

remove 'ssl on'

and leave only 'ssl start_tls'

----------

