[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>

If finger is not working, does chfn or the password change stuff work ?

I think this is a PAM issue. However, I could be wrong.

My '/etc/pam.d/login' file looks like this and fingers work with LDAP.

What does your look like ?

tjk@somemachine:/etc/pam.d$ cat login | grep -v ^#

auth       requisite  pam_securetty.so
auth       requisite  pam_nologin.so
auth       required   pam_env.so
auth       sufficient pam_ldap.so
auth       required   pam_unix.so nullok
account    sufficient pam_ldap.so
account    required   pam_unix.so
session    sufficient pam_ldap.so
session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
password   sufficient pam_ldap.so obscure min=4 max=50
password   required   pam_unix.so nullok obscure min=4 max=50

My LDAP entry looks like:

dn: uid=baka,ou=People,dc=somemachine,dc=org
sn: Bo
uid: baka
shadowMax: 99999
shadowWarning: 7
mail: baka@somemachine.org
mailAlternateAddress: baka@somemachine.org
mailAlternateAddress: nerd@somemachine.org
accountStatus: active
mailQuota: 20480000S
mailMessageStore: /home/1001/Maildir
homeDirectory: /home/1001
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: account
objectClass: qmailuser
objectClass: couriermailaccount
objectClass: Person
objectClass: OrganizationalPerson
objectClass: inetOrgPerson
givenName:: V2lmZSA=
o: Some Linux Users Group
physicalDeliveryOfficeName:: MSBDeWJlciBTcGFjZSA=
employeeNumber: 1
telephoneNumber: 911
ou: admin
title:: U3VwZXIgTmVyZCA=
homePostalAddress: 1 Unix Way or the Hwy.
homePhone: 911-home
loginShell: /bin/sh
uidNumber: 1001
gidNumber: 1001
gecos: Baka,,,
cn: Baka Bo
userPassword:: e2NyeXB0fSQxJMU2aUpWNUxnMJUUcjFFF1FndXZHEHhkOUtqHSDRqay8=
shadowLastChange: 12418
modifiersName: uid=baka,ou=People,dc=somemachine,dc=org
modifyTimestamp: 20040101030654Z

On 23/03/04 23:06 -0500, Stephen Gran wrote:
> Hello all,
> I am having the strangest LDAP issue.  We recently migrated a network
> from a hodgepdge of system accounts to an all LDAP setup, with the
> exception of a few administrative accounts.  All seems to be working
> well, except for one thing - finger.  id returns the expected values,
> users can log in, mail gets accepted and delivered, everything I can
> think of to check works fine, except finger.
> Even stranger:
> finger -m $user returns expected results, although finger $user returns
> 'no such user'.  Aha! I said - an indexing problem , or perhaps nscd.
> Responses coming back too slow for finger.  Messed about with different
> indexing schemes (they are currently this:
> index gecos,cn,uid pres,eq,sub
> index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq
> for an ldif of:
> dn: uid=$user,ou=People,dc=ccil,dc=org
> objectClass: top
> objectClass: ccilAccount
> objectClass: posixAccount
> objectClass: ccilAddress
> objectClass: ccilWorkAddress
> objectClass: ccilPerson
> cn: Some Guy
> uid: $user
> uidNumber: 11709
> gidNumber: 100
> homeDirectory: /home/u/$user
> l: Smalltown
> st: PA
> postalCode: 12345
> userPassword:: <secret>
> loginShell: /bin/bash
> gecos: Some Guy
> pppAccess: TRUE
> emailAccess: TRUE
> registered: Oct 30 22:23:16 2001
> street: 1224 Main St.
> bday: 01-02-03
> telephoneNumber: 215-555-1212
> education: College Graduate
> gender: Blank
> (names changed to protect the innocent))
> Changing indexing options, running slapindex over and over, no help.
> By accident, I reran finger in my root session that was kept open as an
> "I hope I don't hose something" backup plan, and it worked.  Now I start
> to think ACL's, nscd permissions, etc, but I see nothing out of the
> ordinary.  We're using a pretty close to stock Debian config for all of
> this, with some minor tuning for indexing options and cache size, but
> that's about it.  The ACL's are the stock ones, so I really don't know
> what's falling over here.  Anybody have any ideas what to debug next?
> TIA,
> -- 
>  -----------------------------------------------------------------
> |   ,''`.					     Stephen Gran |
> |  : :' :					 sgran@debian.org |
> |  `. `'			Debian user, admin, and developer |
> |    `-					    http://www.debian.org |
>  -----------------------------------------------------------------

Ted Knab
Chester, Maryland  21619 USA

Reply to: