Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>

To: Stephen Gran via debian-isp <debian-isp@lists.debian.org>
Subject: Re: Strabge LDAP problemdebian-isp <debian-isp@lists.debian.org>
From: Theodore Knab <tjk@somemachine.org>
Date: Wed, 24 Mar 2004 09:47:12 -0500
Message-id: <[🔎] 20040324144712.GB15410@annapolislinux.org>
In-reply-to: <[🔎] 20040324040614.GB30100@hadrian>
References: <[🔎] 20040324040614.GB30100@hadrian>

If finger is not working, does chfn or the password change stuff work ?

I think this is a PAM issue. However, I could be wrong.

My '/etc/pam.d/login' file looks like this and fingers work with LDAP.

What does your look like ?

tjk@somemachine:/etc/pam.d$ cat login | grep -v ^#

auth       requisite  pam_securetty.so
auth       requisite  pam_nologin.so
auth       required   pam_env.so
auth       sufficient pam_ldap.so
auth       required   pam_unix.so nullok
account    sufficient pam_ldap.so
account    required   pam_unix.so
session    sufficient pam_ldap.so
session    required   pam_unix.so
session    optional   pam_lastlog.so
session    optional   pam_motd.so
session    optional   pam_mail.so standard noenv
password   sufficient pam_ldap.so obscure min=4 max=50
password   required   pam_unix.so nullok obscure min=4 max=50

My LDAP entry looks like:

dn: uid=baka,ou=People,dc=somemachine,dc=org
sn: Bo
uid: baka
shadowMax: 99999
shadowWarning: 7
mail: baka@somemachine.org
mailAlternateAddress: baka@somemachine.org
mailAlternateAddress: nerd@somemachine.org
accountStatus: active
mailQuota: 20480000S
mailMessageStore: /home/1001/Maildir
homeDirectory: /home/1001
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: account
objectClass: qmailuser
objectClass: couriermailaccount
objectClass: Person
objectClass: OrganizationalPerson
objectClass: inetOrgPerson
givenName:: V2lmZSA=
o: Some Linux Users Group
physicalDeliveryOfficeName:: MSBDeWJlciBTcGFjZSA=
employeeNumber: 1
telephoneNumber: 911
ou: admin
title:: U3VwZXIgTmVyZCA=
homePostalAddress: 1 Unix Way or the Hwy.
homePhone: 911-home
loginShell: /bin/sh
uidNumber: 1001
gidNumber: 1001
gecos: Baka,,,
cn: Baka Bo
userPassword:: e2NyeXB0fSQxJMU2aUpWNUxnMJUUcjFFF1FndXZHEHhkOUtqHSDRqay8=
shadowLastChange: 12418
modifiersName: uid=baka,ou=People,dc=somemachine,dc=org
modifyTimestamp: 20040101030654Z






On 23/03/04 23:06 -0500, Stephen Gran wrote:
> Hello all,
> 
> I am having the strangest LDAP issue.  We recently migrated a network
> from a hodgepdge of system accounts to an all LDAP setup, with the
> exception of a few administrative accounts.  All seems to be working
> well, except for one thing - finger.  id returns the expected values,
> users can log in, mail gets accepted and delivered, everything I can
> think of to check works fine, except finger.
> 
> Even stranger:
> finger -m $user returns expected results, although finger $user returns
> 'no such user'.  Aha! I said - an indexing problem , or perhaps nscd.
> Responses coming back too slow for finger.  Messed about with different
> indexing schemes (they are currently this:
> 
> index gecos,cn,uid pres,eq,sub
> index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq
> 
> for an ldif of:
> 
> dn: uid=$user,ou=People,dc=ccil,dc=org
> objectClass: top
> objectClass: ccilAccount
> objectClass: posixAccount
> objectClass: ccilAddress
> objectClass: ccilWorkAddress
> objectClass: ccilPerson
> cn: Some Guy
> uid: $user
> uidNumber: 11709
> gidNumber: 100
> homeDirectory: /home/u/$user
> l: Smalltown
> st: PA
> postalCode: 12345
> userPassword:: <secret>
> loginShell: /bin/bash
> gecos: Some Guy
> pppAccess: TRUE
> emailAccess: TRUE
> registered: Oct 30 22:23:16 2001
> street: 1224 Main St.
> bday: 01-02-03
> telephoneNumber: 215-555-1212
> education: College Graduate
> gender: Blank
> 
> (names changed to protect the innocent))
> 
> Changing indexing options, running slapindex over and over, no help.
> 
> By accident, I reran finger in my root session that was kept open as an
> "I hope I don't hose something" backup plan, and it worked.  Now I start
> to think ACL's, nscd permissions, etc, but I see nothing out of the
> ordinary.  We're using a pretty close to stock Debian config for all of
> this, with some minor tuning for indexing options and cache size, but
> that's about it.  The ACL's are the stock ones, so I really don't know
> what's falling over here.  Anybody have any ideas what to debug next?
> 
> TIA,
> -- 
>  -----------------------------------------------------------------
> |   ,''`.					     Stephen Gran |
> |  : :' :					 sgran@debian.org |
> |  `. `'			Debian user, admin, and developer |
> |    `-					    http://www.debian.org |
>  -----------------------------------------------------------------



-- 
------------------------------------------
Ted Knab
Chester, Maryland  21619 USA
------------------------------------------
95f6570216275602f62637f6c6574756e202242796e67602f6e60247
865602478696e6b696e67602d616368696e6560216e6460247865602
56e64602f666028657d616e6964797e2a0

Reply to:

Follow-Ups:
- Re: Strange LDAP problem
  - From: Stephen Gran <sgran@debian.org>

References:
- Strabge LDAP problem
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: Re : - - -- -- -- --
Next by Date: Re: Jesus Help Me !
Previous by thread: Strabge LDAP problem
Next by thread: Re: Strange LDAP problem
Index(es):
- Date
- Thread