I have a working nslcd setup running on many servers. I distributed this config to many servers almost all of which are working without problems.
However I forgot to install libnss-ldapd and libpam-ldapd on like five of them.
This resulted in the following nslcd debug log
nslcd: DEBUG: add_uri(ldaps://dc.example.com/)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/ssl/certs")
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/example.com.pem")
nslcd: version 0.8.10 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(108) done
nslcd: DEBUG: setuid(107) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=6939 uid=0 gid=0
nslcd: [8b4567] <authc="user"> DEBUG: nslcd_pam_authc("user","sshd","***")
nslcd: [8b4567] <authc="user"> DEBUG: myldap_search(base="********", filter="(&(memberOf=********)(sAMAccountName=user))")
nslcd: [8b4567] <authc="user"> DEBUG: ldap_initialize(ldaps://dc.example.com/,)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_simple_bind_s("cn=********,dc=example,dc=com","***") (uri="ldaps://dc.example.com/,")
nslcd: [8b4567] <authc="user"> DEBUG: ldap_result(): CN=user,OU=********,DC=example,DC=com
nslcd: [8b4567] <authc="user"> DEBUG: myldap_search(base="CN=user,OU=********,DC=example,DC=com", filter="(objectClass=*)")
nslcd: [8b4567] <authc="user"> DEBUG: ldap_initialize(ldaps://dc.example.com/,)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="user"> DEBUG: ldap_simple_bind_s("CN=user,OU=********,DC=example,DC=com","***") (uri="ldaps://dc.example.com/,")
nslcd: [8b4567] <authc="user"> DEBUG: failed to bind to LDAP server ldaps://dc.example.com/,: Invalid credentials: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
nslcd: [8b4567] <authc="user"> DEBUG: ldap_unbind()
I know that the config is working, as I haven't changed anything and it's running on other servers.
I managed to get ldap working by restarting the server, so it seems that by installing libnss-ldapd and libpam-ldapd after the rollout, some module got hung up.
Question
I would like to know which module this was and if I could have reloaded it without restarting the server.
FYI: A simple "service nslcd restart" didn't do the trick. After the reboot however, everything was working as expected.
Best Answer
This was a while ago, but I think the solution was to restart nscd as well - or in our case remove it as we don't need it.
nslcd is responsible for the ldap connection, but nscd simply does caching.
So by removing, or restarting nscd the cache was emptied and the settings worked :)