Re: Strange LDAP problem

To: Stephen Gran via debian-isp <debian-isp@lists.debian.org>
Subject: Re: Strange LDAP problem
From: Stephen Gran <sgran@debian.org>
Date: Wed, 24 Mar 2004 20:17:01 -0500
Message-id: <[🔎] 20040325011701.GB20506@hadrian>
Mail-followup-to: Stephen Gran via debian-isp <debian-isp@lists.debian.org>
In-reply-to: <[🔎] 20040324144712.GB15410@annapolislinux.org>
References: <[🔎] 20040324040614.GB30100@hadrian> <[🔎] 20040324144712.GB15410@annapolislinux.org>

This one time, at band camp, Theodore Knab said:
> If finger is not working, does chfn or the password change stuff work ?
> 
> I think this is a PAM issue. However, I could be wrong.
> 
> My '/etc/pam.d/login' file looks like this and fingers work with LDAP.
> 
> What does your look like ?
> 
> tjk@somemachine:/etc/pam.d$ cat login | grep -v ^#
> 
> auth       requisite  pam_securetty.so
> auth       requisite  pam_nologin.so
> auth       required   pam_env.so
> auth       sufficient pam_ldap.so
> auth       required   pam_unix.so nullok
> account    sufficient pam_ldap.so
> account    required   pam_unix.so
> session    sufficient pam_ldap.so
> session    required   pam_unix.so
> session    optional   pam_lastlog.so
> session    optional   pam_motd.so
> session    optional   pam_mail.so standard noenv
> password   sufficient pam_ldap.so obscure min=4 max=50
> password   required   pam_unix.so nullok obscure min=4 max=50

auth       required     pam_securetty.so
auth       required     pam_nologin.so
auth       sufficient   pam_ldap.so
auth       required     pam_unix_auth.so try_first_pass
account    sufficient   pam_ldap.so
account    required     pam_unix_acct.so
password   sufficient   pam_ldap.so
password   required     pam_unix.so use_first_pass
session   sufficient    pam_ldap.so
session    required     pam_unix_session.so
#session    optional     pam_console.so

Not so strikingly different that I see the problem.  Remeber too, that
users can log in and that `id` works as expected.

> My LDAP entry looks like:
[...]
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: account
> objectClass: qmailuser
> objectClass: couriermailaccount
> objectClass: Person
> objectClass: OrganizationalPerson
> objectClass: inetOrgPerson

This is where I see some differences.  We don't use inetOrgPerson, but
we use a locally extended one in our schema.  I don't see how this could
make a difference, though.

Thanks for the help,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgpmVT6Ci2Pwz.pgp
Description: PGP signature

Reply to:

References:
- Strabge LDAP problem
  - From: Stephen Gran <sgran@debian.org>
- Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>
  - From: Theodore Knab <tjk@somemachine.org>

Prev by Date: [no subject]
Next by Date: Re: Sendmail & access restrictions
Previous by thread: Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>
Next by thread: Re: Strabge LDAP problem
Index(es):
- Date
- Thread