I was able to replicate the issue on a test environment by installing 4.8.4 and
then upgrading it to 4.8.7.
Observations:
My base dn in nslcd.conf is set to dc=my,dc=org. It just worked and I never bothered how.
Turns out nslcd ends up working with the cn=compat tree. During login, it first
attempts to bind using myuser, and it worked in 4.8.4. nslcd debug logs:
nslcd: [8b4567] <authc="myuser"> DEBUG:
ldap_simple_bind_s("uid=myuser,cn=users,cn=compat,dc=my,dc=org","***")
(uri="ldap://ipa2.my.org")
nslcd: [8b4567] <authc="myuser"> DEBUG: ldap_result():
uid=myuser,cn=users,cn=compat,dc=my,dc=org
nslcd: [8b4567] <authc="myuser"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="myuser"> DEBUG: bind successful
It no longer works on FreeIPA 4.8.7:
nslcd: [b0dc51] <authc="myuser"> DEBUG: ldap_start_tls_s()
nslcd: [b0dc51] <authc="myuser"> DEBUG:
ldap_simple_bind_s("uid=myuser,cn=users,cn=compat,dc=my,dc=org","***")
(uri="ldap://ipa3.my.org")
nslcd: [b0dc51] <authc="myuser"> ldap_result() failed: No such object
nslcd: [b0dc51] <authc="myuser">
uid=myuser,cn=users,cn=compat,dc=my,dc=org: lookup failed: No such object
nslcd: [b0dc51] <authc="myuser"> DEBUG: ldap_unbind()
On my test instance, the output is slightly different for some reason, but to
the same effect:
nslcd: [495cff] <authc="myuser"> DEBUG:
ldap_simple_bind_s("uid=myuser,cn=users,cn=compat,dc=ipa,dc=local","***")
(uri="ldap://ipa1.ipa.local")
nslcd: [495cff] <authc="myuser"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [495cff] <authc="myuser">
uid=myuser,cn=users,cn=compat,dc=ipa,dc=local: lookup failed: No results returned
Why using the compat tree at all? What if I set the base dn to
cn=accounts,dc=my,dc=org? This works and user is able to login, but then nslcd
fails to obtain group membership. nslcd binds anonymously (by default) to
query LDAP to obtain group membership. This anonymous query works for the
cn=compat tree, but does not work for cn=accounts tree.
Workarounds:
Workaround 1 is to setup a dedicated user for LDAP queries and configure it in
nslcd.conf (binddn/bindpw), and set base to cn=accounts,dc=my,dc=org.
I did not want to do this, and setup a different base for group in nslcd.conf:
base cn=accounts,dc=my,dc=org
base group cn=compat,dc=my,dc=org
I'm still using cn=compat tree for group searches, but it allows nslcd to bind
anonymously to find group membership
I'm leaving this information here in case anyone faces the same issue.