Re: ldap problem
Hello. I just yesterday finished setting up a lab with ldap and nfs for a group
of amd64 machines. It seems to be working smoothly at the moment.
On Thu, Jun 23, 2005 at 05:04:48PM -0700, Matt Dunford wrote:
> On Thu, Jun 23, 2005 at 02:06:17PM -0400, Patrick Flaherty wrote:
> > I'm a bit stumped on this, but a few things you could do to humor
> > me/double check.
> >
> > check for duplicate username/group names. both in the system files and
> > in ldap.
>
> There's definately some duplicates (tty, nobody, etc). But I'm not
> sure what will happen if I take those out, the ldap server being in
> production and all..
Is this wise? I ask, because I honestly don't know. I would assume that this
is a bad idea. I would think there should be no possible dupblicate user
mappings. Something is bound to get confused. In general I also think that
there is probably no reason whatsoever to share system user account information
anyway. Each machine should handle system accounts locally. System group
information seems a bit trickier, though, since system group membership
information would not be shared.
I have been using getent to see what name service is reporting as all available
users and groups.
> > also make sure that nscd dosn't start before your ldap daemon
> >
> > my pam ssh file looks more like
> > auth required pam_nologin.so
> > auth sufficient pam_ldap.so
> > auth sufficient pam_unix.so shadow use_first_pass
> > auth required pam_deny.so
I use the configuration recommended in the libpam-ldap README.Debian that looks
like this:
auth [success=1 default=ignore] pam_unix.so
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
for essentially all of my common-* pam config files (the above is my
common-auth). This configuration seems to work for me.
I wish I could be of more help. How do you know where it is that sshd hangs
during the connection attempt?
jamie.
Reply to: