Hi, On Mon, Jan 16, 2017 at 12:31:24PM +0100, Arthur de Jong wrote: > Hi, > > On Mon, 2017-01-16 at 11:52 +0100, Thomas Wallrafen wrote: > > The aforementioned setting is probably added to the file via the > > postinstall script of the nslcd package. If one removes the line > > tls_cacertfile dir /etc/ssl/certs from the file /etc/nslcd.conf and > > runs > > # dpkg --configrue -a > > the line reappers and nslcd is still unable to start. > > Can you post your whole nslcd.conf file?
See the attached ncslcd.conf file (the version before the upgrade). After the upgrade there is another line added at the end which reads tls_cacertfile dir /etc/ssl/certs/ > Previously there was a > tls_cacert option that got renamed to tls_cacertfile. There is also a > tls_cacertdir option but that should not be used on Debian. > > Also can you provide your debconf settings from > > # debconf-get-selections | grep ^nslcd | grep -v password output as follows: nslcd nslcd/ldap-binddn string cn="Ldap Bind",cn=Users,dc=auth,redacted nslcd nslcd/ldap-starttls boolean false nslcd nslcd/disable-screensaver error nslcd nslcd/ldap-sasl-krb5-ccname string /var/run/nslcd/nslcd.tkt nslcd nslcd/xdm-needs-restart error nslcd nslcd/ldap-base string dc=auth,redacted nslcd nslcd/ldap-reqcert select never nslcd nslcd/ldap-sasl-authzid string nslcd nslcd/restart-services string nslcd nslcd/ldap-uris string ldaps://host1.redacted ldaps://host2.redacted nslcd nslcd/ldap-auth-type select simple nslcd nslcd/ldap-sasl-authcid string nslcd nslcd/ldap-sasl-realm string nslcd nslcd/ldap-sasl-mech select nslcd libraries/restart-without-asking boolean false nslcd nslcd/restart-failed error nslcd nslcd/ldap-sasl-secprops string nslcd nslcd/ldap-cacertfile string dir /etc/ssl/certs/ Regards Thomas
# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://host1.redacted uri ldaps://host2.redacted # The search base that will be used for all queries. base dc=auth,dc=redacted # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn cn="Ldap Bind",cn=Users,dc=redacted bindpw redacted # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl on tls_cacertdir /etc/ssl/certs/ tls_reqcert never # The search scope. scope sub # Mappings for Active Directory pagesize 1000 referrals off filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (&(objectClass=group)(gidNumber=*))
