Hi everyone<br><br>We are having trouble since we have updated from version 1.1.3 to 1.2.2 and 1.2.5. We have integrated CentOS/Redhat clients into LDAP. When we try to make &quot;getent group&quot;, we only get one group and its members, but no the rest of the groups (should be more than 1000 groups). In the logs of dirsrv, we get the following error:<br>

<br>[03/May/2010:12:17:40 +0200] conn=71386 fd=72 slot=72 SSL connection from XXXXX to XXXXX<br>[03/May/2010:12:17:40 +0200] conn=71386 SSL 256-bit AES<br>[03/May/2010:12:17:40 +0200] conn=71386 op=0 BIND dn=&quot;cn=Application Manager,cn=config&quot; method=128 version=3<br>

[03/May/2010:12:17:40 +0200] conn=71386 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=&quot;cn=application manager,cn=config&quot;<br>[03/May/2010:12:17:40 +0200] conn=71386 op=1 SRCH base=&quot;ou=Groups,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=2 filter=&quot;(&amp;(objectClass=posixGroup))&quot; attrs=&quot;cn userPassword memberUid uniqueMember gidNumber&quot;<br>

[03/May/2010:12:17:40 +0200] conn=71386 op=2 SRCH base=&quot;uid=XXXXX,ou=XXXXX,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;uid uniqueMember objectClass&quot;<br><b>[03/May/2010:12:17:40 +0200] conn=71386 op=-1 fd=72 closed - SSL peer reports incorrect Message Authentication Code.</b><br>

[03/May/2010:12:17:40 +0200] conn=71387 fd=73 slot=73 SSL connection from XXXXX to XXXXX<br>[03/May/2010:12:17:41 +0200] conn=71387 SSL 256-bit AES<br>[03/May/2010:12:17:41 +0200] conn=71387 op=0 BIND dn=&quot;cn=Application Manager,cn=config&quot; method=128 version=3<br>

[03/May/2010:12:17:41 +0200] conn=71387 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn=&quot;cn=application manager,cn=config&quot;<br>[03/May/2010:12:17:41 +0200] conn=71387 op=1 SRCH base=&quot;uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;uid uniqueMember objectClass&quot;<br>

[03/May/2010:12:17:41 +0200] conn=71387 op=1 RESULT err=0 tag=101 nentries=1 etime=0<br>[03/May/2010:12:17:41 +0200] conn=71387 op=2 SRCH base=&quot;uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;uid uniqueMember objectClass&quot;<br>

[03/May/2010:12:17:41 +0200] conn=71387 op=2 RESULT err=0 tag=101 nentries=1 etime=0<br>[03/May/2010:12:17:41 +0200] conn=71387 op=3 SRCH base=&quot;uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;uid uniqueMember objectClass&quot;<br>

[03/May/2010:12:17:41 +0200] conn=71387 op=3 RESULT err=0 tag=101 nentries=1 etime=0<br>[03/May/2010:12:17:41 +0200] conn=71387 op=4 SRCH base=&quot;uid=XXXXX,ou=People,o=XXXXX,dc=XXXXX,dc=XXXXX&quot; scope=0 filter=&quot;(objectClass=*)&quot; attrs=&quot;uid uniqueMember objectClass&quot;<br>

[03/May/2010:12:17:41 +0200] conn=71387 op=4 RESULT err=0 tag=101 nentries=1 etime=0<br><br>The following UIDs search after the group, are the members of the first group returned by the group search. The command &quot;getent passwd&quot; works fine. This only happens in servers upgraded to 389-ds-base 1.2.2 or 1.2.5 (tested in 6 different servers). If we configure the LDAP client to use un-upgraded servers using fedora-ds-base 1.1.3 (tested in 4 different servers), the command &quot;getent group&quot; works fine, and no errors are shown in the log. The client configuration is always the same, just changing the LDAP server.<br>

<br>These are the configuration files:<br><br>/etc/ldap.conf<br><br>uri ldaps://XXXXXX<br>base dc=XXXXXX,dc=XXXXXX<br>ldap_version 3<br><br>binddn cn=Application Manager,cn=config<br>bindpw XXXXXX<br><br>ssl on<br>sasl_secprops maxssf=0<br>

tls_cacertdir /etc/openldap/cacerts<br>tls_cacert    /etc/openldap/cacerts/cert-CA-cacert.pem<br><br>timelimit 20<br>bind_timelimit 20<br>idle_timelimit 3600<br><br>nss_base_hosts ou=Computers,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?one<br>

nss_base_group ou=Groups,o=XXXXXX,dc=XXXXXX,dc=XXXXXX?sub<br>nss_base_passwd dc=XXXXXX,dc=XXXXXX?sub?&amp;(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))<br>nss_base_shadow dc=XXXXXX,dc=XXXXXX?sub?&amp;(|(objectClass=myPerson)(objectClass=posixAccount))(|(ou:dn:=People)(ou:dn:=Computers))<br>

<br>nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dbus,dhcp,games,gdm,gnats,haldaemon,hplip,irc,klog,ldap,libuuid,list,lp,mail,mailman,man,messagebus,named,news,nobody,polkituser,proxy,radiusd,radvd,root,sshd,sync,sys,syslog,tomcat,uucp,www-data<br>

pam_password clear <br><br><br>/etc/openldap/ldap.conf<br><br>URI   ldaps://XXXXXX<br>BASE  dc=XXXXXX,dc=XXXXXX<br><br>TLS_CACERTDIR /etc/openldap/cacerts<br>TLS_CACERT    /etc/openldap/cacerts/cert-CA-cacert.pem<br>TLS_REQCERT   allow<br>

<br><br>/etc/nsswitch.conf<br><br>passwd:     files ldap<br>shadow:     files ldap<br>group:      files ldap<br><br>hosts:      files dns<br><br>bootparams: nisplus [NOTFOUND=return] files<br><br>ethers:     files<br>netmasks:   files<br>

networks:   files<br>protocols:  files<br>rpc:        files<br>services:   files<br><br>netgroup:   nisplus<br><br>publickey:  nisplus<br><br>automount:  files nisplus<br>aliases:    files nisplus<br><br>Regards.<br>