I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
Dec 21 08:44:17 sparky nscd: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search descriptor for service ‘passwd’ contains filter, which can not be used for service ‘user_attr’.
We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes) NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.