Mandriva Directory Server On Debian Etch - Page 2

5 SAMBA

5.1 Basic Configuration

First stop SAMBA.

/etc/init.d/samba stop

Copy the example SAMBA configuration file into the SAMBA directory ...

cp /usr/share/doc/python-mmc-base/contrib/samba/smb.conf /etc/samba/

... and adjust it to your needs.

vi /etc/samba/smb.conf

Set the following values in the section [global]:

workgroup = EXAMPLE
netbiosname = PDC-SRV-EXAMPLE
ldap admin dn = cn=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
logon path = \\%N\profiles\%U

Add the following lines to the section [global]:

preferred master = yes
os level = 65
wins support = yes
timeserver = yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
logon drive = H:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add group script = /usr/sbin/ambldap-groupadd -p "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
obey pam restrictions = no
ldap idmap suffix = ou=Users
ldap delete dn = yes
security = user

Add the following line to the section [homes]:

hide files = /Maildir/

Remove the following line from the sections [printers] and [print$]:

printer admin = root,@lpadmin

Set the following values in the section [print$]:

write list = Administrator,root,@lpadmin

Add the following line to the section [profiles]:

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

Set the following values in the section [archives]:

path = /home/samba/archives

At this point the SAMBA configuration file should look like this:

     [global]
        workgroup = EXAMPLE
        netbiosname = PDC-SRV-EXAMPLE
        preferred master = yes
        os level = 65
        wins support = yes
        enable privileges = yes
        timeserver = yes
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        log level = 3
        null passwords = yes
        security = user
        # unix charset = ISO8859-1
        name resolve order = bcast host
        domain logons = yes
        domain master = yes
        printing = cups
        printcap name = cups
        logon path = \\%N\profiles\%U
        logon script = logon.bat
        logon drive = H:
        map acl inherit = yes
        nt acl support = yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        obey pam restrictions = no
ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes ldap delete dn = yes
passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n
add user script = /usr/sbin/smbldap-useradd -m "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add group script = /usr/sbin/ambldap-groupadd -p "%g" add machine script = /usr/lib/mmc/add_machine_script '%u' delete user script = /usr/sbin/smbldap-userdel "%u" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" delete group script = /usr/sbin/smbldap-groupdel "%g"
[homes] comment = Home directories browseable = no writeable = yes create mask = 0700 directory mask = 0700 hide files = /Maildir/
[public] comment = Public share path = /home/samba/shares/public browseable = yes public = yes writeable = yes
[archives] comment = Backup share path = /home/samba/archives browseable = yes public = no writeable = no
[printers] comment = Printers path = /tmp browseable = no public = yes guest ok = yes writeable = no printable = yes
[print$] comment = Drivers path = /var/lib/samba/printers browseable = yes guest ok = yes read only = yes write list = Administrator,root,@lpadmin
[netlogon] path = /home/samba/netlogon public = no writeable = no browseable = no
[profiles] path = /home/samba/profiles writeable = yes create mask = 0700 directory mask = 0700 browseable = no hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[partage] comment = aucun path = /home/samba/partage browseable = yes public = no writeable = yes

 

If all went ok, the command ...

testparm

... should give no errors.

Now give SAMBA the needed credentials to write into the LDAP.

smbpasswd -w %ldap_admin_password%

E.g.:

smbpasswd -w howtoforge

The output should look like this:

Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb

Next you need to create a SID for your workgroup.

net getlocalsid %your_workgroup%

E.g.:

net getlocalsid EXAMPLE

The output should look like this - note it down you'll need it in a few moments:

SID for domain EXAMPLE is: S-1-5-21-3159899821-123882392-54881133

Check if the SID has really been recorded into LDAP.

slapcat | grep sambaDomainName

The output should look like this:

dn: sambaDomainName=EXAMPLE,dc=example,dc=com
sambaDomainName: EXAMPLE

Now start SAMBA

/etc/init.d/samba start

 

5.2 LDAP Directory

First you need to create the smbldap-tools configuration file - it defines how to communicate with the LDAP server.

vi /etc/smbldap-tools/smbldap_bind.conf

The content should look like this:

slaveDN="cn=admin,dc=example,dc=com"
slavePw="howtoforge"
masterDN="cn=admin,dc=example,dc=com"
masterPw="howtoforge"

 

Now create the main configuration file.

vi /etc/smbldap-tools/smbldap.conf

The content should look like this (Replace the SID with your own!):

SID="S-1-5-21-3159899821-123882392-54881133"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\PDC-SRV-EXAMPLE\%U"
userProfile="\\PDC-SRV-EXAMPLE\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="example.com"
smbpasswd="/usr/bin/smbpasswd"

 

Time to populate the LDAP diretory. This will also create the domain administrator account (Administrator)

smbldap-populate -m 512 -a Administrator

Note: You'll be asked to enter a password for the domain administrator account.

Afterwards you have to modify the uid-number for this account - otherwise you won't be able to use the mailserver with this account. Additionally we add this account to the group "Domain Users" :

smbldap-usermod -u 3000 -G "Domain Users" Administrator


5.3 NSS LDAP Configuration

In this step we configure the system to use the LDAP directory to get user and group lists.

Edit the nsswitch configuration.

vi /etc/nsswitch.conf

The content should look like this:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

 

5.4 SAMBA Directories

Create the needed directories for the SAMBA server, ...

mkdir -p /home/samba/shares/public/
mkdir /home/samba/netlogon/
mkdir /home/samba/profiles/
mkdir /home/samba/partage/
mkdir /home/samba/archives/

... change the ownership and adjust the rights.

chown -R :"Domain Users" /home/samba/
chmod 777 /var/spool/samba/ /home/samba/shares/public/
chmod 755 /home/samba/netlogon/
chmod 770 /home/samba/profiles/ /home/samba/partage/
chmod 700 /home/samba/archives/

 

6 PAM LDAP Configuration

In this step you'll add LDAP-support to PAM.

vi /etc/pam.d/common-account

The content should look like this:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so
account sufficient      pam_ldap.so

 

vi /etc/pam.d/common-auth

The content should look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so

 

vi /etc/pam.d/common-password

The content should look like this:

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password        sufficient      pam_unix.so nullok obscure min=4 max=8 md5
password        sufficient      pam_ldap.so use_first_pass use_authtok
password        required        pam_deny.so
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

 

vi /etc/pam.d/common-session

The content should look like this:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so
session optional        pam_ldap.so

 

Afterwards reboot the system.

reboot

When the system is up again, give the group "Domain Admins" the right to add machines to the domain.

net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

 

7 SSL For Mail

First prepare a configuration file with the needed information.

vi /etc/ssl/mail.cnf

Add the following content:

[ req ] 
default_bits            = 2048 
default_keyfile         = privkey.pem 
distinguished_name      = req_distinguished_name 
prompt                  = no 
string_mask             = nombstr 
x509_extensions         = server_cert
[ req_distinguished_name ] 
countryName             = DE 
stateOrProvinceName     = Niedersachsen
localityName            = Lueneburg
organizationName        = Projektfarm GmbH
organizationalUnitName  = IT
commonName              = server1.example.com
emailAddress            = postmaster@example.com
[ server_cert ] 
basicConstraints        = critical, CA:FALSE 
subjectKeyIdentifier    = hash 
keyUsage                = digitalSignature, keyEncipherment 
extendedKeyUsage        = serverAuth, clientAuth 
nsCertType              = server 
nsComment               = "mailserver"

Now create the SSL certificate ...

openssl req -x509 -new -config /etc/ssl/mail.cnf -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/private/mail.key -days 365 -nodes -batch

... and adjust the rights for the key in order that only root is allowed to read it.

chmod 600 /etc/ssl/private/mail.key

Share this page:

26 Comment(s)

Add comment

Comments

From: at: 2009-05-07 23:34:28

i followed literally the first age of howto and i got this error:

May  8 03:21:20 pdc slapd[2396]: /etc/ldap/slapd.conf: line 24: unknown directive <schemacheck> outside backend info and database definitions.

i fixed commenting this line

 after fixed, retarted slapd and got:

 /etc/ldap/slapd.conf: line 47: unknown directive <checkpoint> outside backend info and database definitions.
fixed this, too, commentig it

 

debian lenny with all packages updated

From: Alder at: 2009-05-29 09:19:14

Simply delete schemacheck on. 

my system debian lenny with all packages updated

From: at: 2009-04-12 19:21:35

Hi NOKSY Sorry to being late at your answer. I've been doing this server for about a 2 years and it's just no a normal issue setting up this server. About this error I could say that you' re missing some part of the tutorial, as I've done this server again perfectly 2 days ago. Try to read all the tutorial first, then you proceed to install it. It's very confuse, but at the end you will discover its a very functional tool that saves a lot of time.

From: at: 2008-02-26 20:31:41

Hi Álvaro,

for security reasons I configured the system that it is only accessible from the local network.

If you want to access the MMC from outside, you have to modify the settings for the https vhost (step 16.3.2). Change "Allow from 192.168.0.0/24" to "Allow from all". Afterwards restart the webserver (/etc/init.d/apache2 restart). Additionally you have to adjust the firewall settings that port 443 will be forwarded to the MDS.

Best regards,

Olli 

From: at: 2008-03-07 03:14:02

Just passing by to say that tool is fantastic!!!! I've good things coming up here; think to the possibility to come to Brazil and make like a partnership program with us.....We'll work with a lot of big companies and I think to implement this tool.....Acctually I've been asked about this tool, and its great the fact we could make a very powerfull server with a lot of resources, using low hardware and high space.......Well, anyway I would like to say that you're invite come to Brazil anytime.......

 

My Best regards,

 

From: at: 2008-03-02 01:02:20

Thanks for this solution Oliver,

 This help me a lot..........Feel free if you need anything (like test some solution, whatever) to contact me anytime

My best regards, 

From: Peter at: 2009-08-16 01:31:30

I got stuck on this and need some help:

/etc/ldap/slapd.conf is missing in my system. I get slapd.d in /etc/ldap/ but nothig like slapd.conf. Can anyone help ?

From: at: 2008-02-22 19:57:46

Hi o.meyer,

 I've got some questions about your installation, but I know it that is me the wrong part, but let me understand something: When I just finish to update the system, and step over to install LDAP, after the install I've got some error messages at the boot time. Is it normal? It says ldap://127.0.0.1 - could not connect - Invalid Credentials .

Wich file do I have deal to stop this problem? Can I set my ip address to 192.168.1.0 instead of 127.0.0.1?

Another question is: Where I find "server1.example.com", I've tried to change the names using my account on dyndns.org . Is there any problems?

And the file that controls SAMBA and LDAP servers (smb.conf) says at the first line: workgroup = DYNDNS. Can I use that way??

Regards,

Alvaro Gomes

(Ps.: Your article is a great and fantastic tool that helps a lot o people over the world, when the subject is Technology of servers. Thanks again for the article, it was great)

From: at: 2008-02-24 12:59:21

Hi Alvaro Gomes,

1.) Yes, the error messages are normal - it's an old udev-bug known since 2006 or earlier. Simply ignore it.

2.) You can change your hostname to whatever you want (in a LAN) :) Have a look at step 1.2 .

3.) Edit the workgroup as you like - but keep in mind that you have to replace some commands in this howto, that they fit to your workgroup.

Best regards,

Olli 

From: at: 2008-02-25 15:11:54

Thanks for your answer, and again I did raise another question about this system, please don't take me on the wrong way, what I just trying to do is get this solution (for me specially) on the framework, so this way we could install this solution in big scale (production)

Well, about the management of the LDAP Server based on Mandriva directory server, I wish I could have the management out of the site, so this way we can control everything (remote management). I did open the port on the firewall side (smoothwall, port 443) but I'm still stucked c'ause when I try to access it I've got the message: Forbidden. I tried to review the configuration, but nothing yet...Could you help me on this issue:? Thanks again

 Best regards,

 

Álvaro Gomes
 

From: at: 2008-04-06 05:06:13

Hi Oliver, how's everything?

I 've got taked a look at my memory status and its seems that processing jobs be a little bit up, is that normal? I 've got a 3.0 GB virtualized memory and its seems to be anormal, and please if you have a suggestion please show me A.S.A.P. Thanks...

From: at: 2008-05-30 18:48:25

It seems to have some kind of error at the end of this installation. Before, I've finished everything just fine, but in about 2 days ago, I didn't get my server done in any way I tried. Its seems to be a error on the Samba Schema or something. I wish I had that log to show you.....if you notice something, please let me know, ok?

Thanks a lot 

From: at: 2008-06-01 19:53:17

Could you take a look at this output from my server and tell me what could be wrong?? This output came from the last step of MDS Server Setup, and its killing me !! Thanks man, I'll really appreciate your help on this....

PS: I've tried to send you a PM, but it says that I don't have 3 counts on my posts, I really didn't get that, but, whatever, you should ignore this comment and just send me a answer by mail, thanks!


No option 'bindgroup' in section: 'dns'
Traceback (most recent call last):
  File "/var/lib/python-support/python2.4/mmc/agent.py", line 339, in agentService
    if (func()):
  File "/var/lib/python-support/python2.4/mmc/plugins/network/__init__.py", line 50, in activate
    config = NetworkConfig("network")
  File "/var/lib/python-support/python2.4/mmc/support/config.py", line 81, in __init__
    self.readConf()
  File "/var/lib/python-support/python2.4/mmc/plugins/network/__init__.py", line 340, in readConf
    self.bindGroup = self.get("dns", "bindgroup")
  File "ConfigParser.py", line 520, in get
    raise NoOptionError(option, section)
NoOptionError: No option 'bindgroup' in section: 'dns'
Error while trying to load plugin samba
{'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}
Traceback (most recent call last):
  File "/var/lib/python-support/python2.4/mmc/agent.py", line 339, in agentService
    if (func()):
  File "/var/lib/python-support/python2.4/mmc/plugins/samba/__init__.py", line 129, in activate
    samba.addOu(ouName, path)
  File "/var/lib/python-support/python2.4/mmc/plugins/base/__init__.py", line 1718, in addOu
    self.l.add_s(addrdn,attributes)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 163, in add_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 405, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 409, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 415, in result3
    rtype, rdata, rmsgid, serverctrls = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.4/site-packages/ldap/ldapobject.py", line 94, in _ldap_call
    result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}

From: at: 2009-02-05 09:52:28

Hi all,

I'm following this "Howto" step by step, but when i  enter this command :

chown -R :"Domain Users" /home/samba/

I have this error message : chown : ':Domain Users' : Invalid group

 

Do you have an idea please ?

 

Thanks

From: Alder at: 2009-05-29 09:20:41

Try this 

chown -R "Domain Users" /home/samba/

debian lenny

From: Anonymous at: 2009-10-23 06:35:17

I can't authenticate any mail user 

telnet x.x.x.x 110

USER user

PASS pass

-ERR Authentication Failed

 My dovecot-ldap.conf

hosts = x.x.x.x
auth_bind = yes
#auth_bind = no
ldap_version = 3
base = dc=test,dc=local
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
default_pass_scheme = CRYPT
user_global_gid = mail

 

Any ideas? :)

Thx

From: at: 2010-02-08 00:02:11

 Hi Oliver,

 Sorry to botther you putting this comment asking for help, but since Dovecot had a upgraded version, the last line at /etc/dovecot/dovecot-ldap.conf that says "user_global_gid=mail" its not longer usefull, as I've trying to put dovecot to run and I receive this message (at log file): Error: Error in configuration file /etc/dovecot/dovecot-ldap.conf line 11: Unknown setting: user_global_gid.

Do you have any ideas about this problem? If is there any help you could give me on this problem, I'd be appreciated...

Also, when I try to connect using the Microsoft outlook client mail, its just not working either...I know its because dovecot its not runnig, but since I commented in the line "user_global_gid=mail" and get dovecot running again, the service still not working......

 

 

 

From: carlitus at: 2011-10-25 16:41:19

Hi folks! I know, this howto is pretty old but still applicable. Let me give my 2 cents...

I installed it on Debian Lenny, and works great. But you should edit /etc/apt/preferences and add this, before installing required packages:

Package: *
Pin: origin mds.mandriva.org
Pin-Priority: 1001;
This should give priority to MDS packages, and force it to install bind9 from MDS repository instead Lenny's package. If bind9 .deb from Lenny sources is installed, you'll get DNS failures, bind9 will not load internal DNS zones because it doesn't have ldap support. 
 
Sorry if I did some grammar mistakes, this is not my native language and I need more English lessons. :)

From: jmark at: 2009-01-15 10:28:55

Hi there,

i've tried this tutorial and everything goes right until i reboot my system. After the reboot i was no longer able to log on to the system. I use the latest release of debian. Can someone pointing me how to fix this our a resolution?

P.S: other thing, the package dcc-client is not available on debian 4.01r6? is this important? how to get in?

Thanks in advance..... 

From: at: 2009-06-15 05:02:16

Well, it's an old comment but still relevant:

Do not add password required pam_deny.so to your auth-* file. You'll lock yourself out from SSH and some other services.

Also, you need to do step 5.4 after step 6 or you will end up with an unknown group "Domain Users" (as noted on the first page comments).

From: at: 2009-08-16 15:34:26

i would notify a typo:

 add group script = /usr/sbin/ambldap-groupadd -p "%g"

should be

 add group script = /usr/sbin/smbldap-groupadd -p "%g"

From: Anonymous at: 2009-11-24 08:07:52

hi, i have the same error message "chown: invalid group: `:Domain Users ".

could you post the right typo please?

From: Mike at: 2009-10-14 09:22:44

I get 2 errors:

 1) #net -U Administrator rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

Enter Administrator's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

 

2) # chown -R :"Domain Users" /home/samba/

chown: invalid group: `:Domain Users

 

I have also done first the 6 and then the 5.4 step, but I still get the same error.

Thx!

From: Anonymous at: 2009-10-15 12:55:33

ok I found the solution. It had to do with the localhost configuration and some syntax errors

From: Anonymous at: 2010-03-25 12:17:04

about : chown: invalid group: `:Domain Users

Try this:

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.

1. delete /etc/libnss-ldap.secret

2. echo -n "mypassword" > /etc/libnss-ldap.secred

 

From: yosemity at: 2010-06-16 17:04:34

in /etc/libnss-ldap.conf

change ldapi:// to ldap://