Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>
If finger is not working, does chfn or the password change stuff work ?
I think this is a PAM issue. However, I could be wrong.
My '/etc/pam.d/login' file looks like this and fingers work with LDAP.
What does your look like ?
tjk@somemachine:/etc/pam.d$ cat login | grep -v ^#
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth sufficient pam_ldap.so
auth required pam_unix.so nullok
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
password sufficient pam_ldap.so obscure min=4 max=50
password required pam_unix.so nullok obscure min=4 max=50
My LDAP entry looks like:
dn: uid=baka,ou=People,dc=somemachine,dc=org
sn: Bo
uid: baka
shadowMax: 99999
shadowWarning: 7
mail: baka@somemachine.org
mailAlternateAddress: baka@somemachine.org
mailAlternateAddress: nerd@somemachine.org
accountStatus: active
mailQuota: 20480000S
mailMessageStore: /home/1001/Maildir
homeDirectory: /home/1001
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: account
objectClass: qmailuser
objectClass: couriermailaccount
objectClass: Person
objectClass: OrganizationalPerson
objectClass: inetOrgPerson
givenName:: V2lmZSA=
o: Some Linux Users Group
physicalDeliveryOfficeName:: MSBDeWJlciBTcGFjZSA=
employeeNumber: 1
telephoneNumber: 911
ou: admin
title:: U3VwZXIgTmVyZCA=
homePostalAddress: 1 Unix Way or the Hwy.
homePhone: 911-home
loginShell: /bin/sh
uidNumber: 1001
gidNumber: 1001
gecos: Baka,,,
cn: Baka Bo
userPassword:: e2NyeXB0fSQxJMU2aUpWNUxnMJUUcjFFF1FndXZHEHhkOUtqHSDRqay8=
shadowLastChange: 12418
modifiersName: uid=baka,ou=People,dc=somemachine,dc=org
modifyTimestamp: 20040101030654Z
On 23/03/04 23:06 -0500, Stephen Gran wrote:
> Hello all,
>
> I am having the strangest LDAP issue. We recently migrated a network
> from a hodgepdge of system accounts to an all LDAP setup, with the
> exception of a few administrative accounts. All seems to be working
> well, except for one thing - finger. id returns the expected values,
> users can log in, mail gets accepted and delivered, everything I can
> think of to check works fine, except finger.
>
> Even stranger:
> finger -m $user returns expected results, although finger $user returns
> 'no such user'. Aha! I said - an indexing problem , or perhaps nscd.
> Responses coming back too slow for finger. Messed about with different
> indexing schemes (they are currently this:
>
> index gecos,cn,uid pres,eq,sub
> index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq
>
> for an ldif of:
>
> dn: uid=$user,ou=People,dc=ccil,dc=org
> objectClass: top
> objectClass: ccilAccount
> objectClass: posixAccount
> objectClass: ccilAddress
> objectClass: ccilWorkAddress
> objectClass: ccilPerson
> cn: Some Guy
> uid: $user
> uidNumber: 11709
> gidNumber: 100
> homeDirectory: /home/u/$user
> l: Smalltown
> st: PA
> postalCode: 12345
> userPassword:: <secret>
> loginShell: /bin/bash
> gecos: Some Guy
> pppAccess: TRUE
> emailAccess: TRUE
> registered: Oct 30 22:23:16 2001
> street: 1224 Main St.
> bday: 01-02-03
> telephoneNumber: 215-555-1212
> education: College Graduate
> gender: Blank
>
> (names changed to protect the innocent))
>
> Changing indexing options, running slapindex over and over, no help.
>
> By accident, I reran finger in my root session that was kept open as an
> "I hope I don't hose something" backup plan, and it worked. Now I start
> to think ACL's, nscd permissions, etc, but I see nothing out of the
> ordinary. We're using a pretty close to stock Debian config for all of
> this, with some minor tuning for indexing options and cache size, but
> that's about it. The ACL's are the stock ones, so I really don't know
> what's falling over here. Anybody have any ideas what to debug next?
>
> TIA,
> --
> -----------------------------------------------------------------
> | ,''`. Stephen Gran |
> | : :' : sgran@debian.org |
> | `. `' Debian user, admin, and developer |
> | `- http://www.debian.org |
> -----------------------------------------------------------------
--
------------------------------------------
Ted Knab
Chester, Maryland 21619 USA
------------------------------------------
95f6570216275602f62637f6c6574756e202242796e67602f6e60247
865602478696e6b696e67602d616368696e6560216e6460247865602
56e64602f666028657d616e6964797e2a0
Reply to: