nss_uid_offset has no effect

[radu-marinescu]

I am on a Linux Mint system, nss-pam-ldap 0.9.9. I have added 'nss_uid_offset 2000' and 'nss_gid_offset 2000' to /etc/nslcd.conf. However, when I run 'id someLdapUser' from the shell, I get back it's uid:gid 1:2, as it is sent from the ldap server. From my understanding, they are supposed to be offset to 2001:2002.

Let me know what extra info would be necessary to debug this.

[arthurdejong]

That should indeed be the case. It could be that you have nscd running and it has cached previous entries. Can you provide the output of nslcd -d when performing this lookup?

[radu-marinescu]

Here it is. I did a lookup, but nothing shows up in the output.

nslcd: Warning: NSS_LDAP version missing: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_version nslcd: Warning: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_enablelookups (probably older NSS module loaded) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,demand) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/ca-certificates.crt") nslcd: DEBUG: CFG: threads 5 nslcd: DEBUG: CFG: uid nslcd nslcd: DEBUG: CFG: gid 133 nslcd: DEBUG: CFG: uri ldaps://accounts.ideologic/ nslcd: DEBUG: CFG: ldap_version 3 nslcd: DEBUG: CFG: base dc=accounts,dc=ideologic nslcd: DEBUG: CFG: scope sub nslcd: DEBUG: CFG: deref never nslcd: DEBUG: CFG: referrals yes nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias) nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device) nslcd: DEBUG: CFG: filter group (objectClass=posixGroup) nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost) nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup) nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork) nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount) nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol) nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc) nslcd: DEBUG: CFG: filter services (objectClass=ipService) nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount) nslcd: DEBUG: CFG: map group userPassword "" nslcd: DEBUG: CFG: map passwd userPassword "" nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}" nslcd: DEBUG: CFG: map shadow userPassword "" nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}" nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}" nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}" nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}" nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}" nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}" nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}" nslcd: DEBUG: CFG: pam_authc_ppolicy yes nslcd: DEBUG: CFG: bind_timelimit 10 nslcd: DEBUG: CFG: timelimit 0 nslcd: DEBUG: CFG: idle_timelimit 0 nslcd: DEBUG: CFG: reconnect_sleeptime 1 nslcd: DEBUG: CFG: reconnect_retrytime 10 nslcd: DEBUG: CFG: ssl start_tls nslcd: DEBUG: CFG: tls_reqcert demand nslcd: DEBUG: CFG: tls_cacertfile /etc/ssl/certs/ca-certificates.crt nslcd: DEBUG: CFG: pagesize 0 nslcd: DEBUG: CFG: nss_min_uid 2000 nslcd: DEBUG: CFG: nss_uid_offset 2000 nslcd: DEBUG: CFG: nss_gid_offset 2000 nslcd: DEBUG: CFG: nss_nested_groups no nslcd: DEBUG: CFG: nss_getgrent_skipmembers no nslcd: DEBUG: CFG: nss_disableenumeration no nslcd: DEBUG: CFG: validnames /^[a-z0-9.@$()]([a-z0-9._@$() \~-][a-z0-9._@$()~-])?$/i nslcd: DEBUG: CFG: ignorecase no nslcd: DEBUG: CFG: pam_authc_search BASE nslcd: DEBUG: CFG: cache dn2uid 15m 15m nslcd: version 0.9.9 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: initgroups("nslcd",133) done nslcd: DEBUG: setgid(133) done nslcd: DEBUG: setuid(124) done nslcd: accepting connections

[arthurdejong]

Sorry to not reply sooner but the debug log does not include information from a lookup, only start-up. Can you run nslcd in debug mode and then run id someLdapUser?