If you get the following error:

/etc/ldap/slapd.conf: line 127: substr index of attribute "sambaSID" disallowed

when you run slapindex, then you haven’t updated your
samba.schema to the version from Samba 3.0.23. Dapper and Edgy
had 3.0.22, so if you’ve recently upgraded to Hardy, you will see this
problem. The file should have an MD5 of
0e23b3ad05cd2b38a302fe61c921f300. I’m hoping this resolves
problems I have with samba not picking up group membership changes. I’ll
update if it does.

Update: Having installed the new schema and run slapindex, net rpc info shows I have twelve groups when previously it showed zero. This may not solve my group membership problems, but it can’t be a step backwards.

Apache 2.2 changed the way you configure LDAP authentication.
mod_auth_ldap was replaced with mod_authnz_ldap, so don’t forget to
enable the new module and disable the old one. Because I’ll always
forget, here’s the new style config.

AuthType basic
AuthName "admin"
AuthBasicProvider ldap
AuthLDAPUrl ldap://ldap.example.com:389/ou=people,dc=example,dc=com?uid?sub
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=systems,ou=groups,dc=example,dc=com
AuthLDAPGroupAttribute memberUid

The sections in bold are the sections I had to change from the 2.0
config.

Been stuck at home ill all day, so I took the opportunity to type up an
article on LDAP
basics
, which is hopefully an easy to understand introduction to
LDAP. Given the complicated subject matter, I probably failed in a
couple of places. If you find something you don’t understand, I’d love
to know so I can rewrite that section to make it clearer.

I also updated my robust
shell scripting
article to include a small section on (almost)
race-free locking in bash, using IO redirection and bash’s noclobber
option. Thanks to Ralf Wildenhues for the suggestion.

About a year ago I had a problem with udev crashing during startup on
my powerpc box. Somehow I managed to muddle on with this problem,
probably by not rebooting the box. 🙂 Last summer I had to reoot it
again so I did a bit more research and discovered that udev was trying
to looking up the nvram group, not finding it in /etc/group and then
trying ldap, which, of course, failed because we have no networking yet.

Adding the group fixed the bug and filed a bug
against udev saying that udev should add any groups it used. Carrying
out further debugging revealed that the crash was during nss_wins. The
general order of events were:

  1. udev looks up a user or group.
  2. Group doesn’t exist in compat.
  3. Lookup in ldap.
  4. Ldap attempts to resolve the name of the ldap server or client.
    (server is 127.0.0.1 so confused about this point.)
  5. Network and/or dns server isn’t up so dns fails fails.
  6. Attempts to look up host in wins.
  7. udevstart crashes.

I didn’t have time to debug this any further and proceeded to forget
the problem, but last night my fileserver started having the same
problem. Removing ldap from passwd, group and shadow resolved the udev
problem, but then I didn’t have any users. Late last night I booted
without ldap and then changed nsswitch.conf to add ldap, and went to
bed.

This morning I had an epiphany in the shower. Not only did I remember
what the bug was, but also a sensible workaround. The problem wasn’t
with the passwd et al lines, but the hosts line. I did have

hosts: files dns mdns wins

The solution is to return if dns isn’t available and changed the line
to:

hosts: files dns [UNAVAIL=return] mdns wins

Now all I need to do is to debug nss_wins and get to the bottom of
the crash. It might be worth filing a bug against nss_ldap for trying to
do a lookup against an ip address.