[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strabge LDAP problem

indexes only affect how fast a lookup happens, not if it happens.

really it sounds like you forgot to, or didn't complete setting up your nss-ldap (/etc/nsswitch, libnss-ldap, nscd, and friends). pam is only for authentication/authorization NOT accounts information.

home directories, user id nums, etc, are looked up via name service switch mechanism (libnss, and the ns cache demon, nscd)

--On Tuesday, March 23, 2004 23:06 -0500 Stephen Gran <sgran@debian.org> wrote:

Hello all,

I am having the strangest LDAP issue.  We recently migrated a network
from a hodgepdge of system accounts to an all LDAP setup, with the
exception of a few administrative accounts.  All seems to be working
well, except for one thing - finger.  id returns the expected values,
users can log in, mail gets accepted and delivered, everything I can
think of to check works fine, except finger.

Even stranger:
finger -m $user returns expected results, although finger $user returns
'no such user'.  Aha! I said - an indexing problem , or perhaps nscd.
Responses coming back too slow for finger.  Messed about with different
indexing schemes (they are currently this:

index gecos,cn,uid pres,eq,sub
index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq

for an ldif of:

dn: uid=$user,ou=People,dc=ccil,dc=org
objectClass: top
objectClass: ccilAccount
objectClass: posixAccount
objectClass: ccilAddress
objectClass: ccilWorkAddress
objectClass: ccilPerson
cn: Some Guy
uid: $user
uidNumber: 11709
gidNumber: 100
homeDirectory: /home/u/$user
l: Smalltown
st: PA
postalCode: 12345
userPassword:: <secret>
loginShell: /bin/bash
gecos: Some Guy
pppAccess: TRUE
emailAccess: TRUE
registered: Oct 30 22:23:16 2001
street: 1224 Main St.
bday: 01-02-03
telephoneNumber: 215-555-1212
education: College Graduate
gender: Blank

(names changed to protect the innocent))

Changing indexing options, running slapindex over and over, no help.

By accident, I reran finger in my root session that was kept open as an
"I hope I don't hose something" backup plan, and it worked.  Now I start
to think ACL's, nscd permissions, etc, but I see nothing out of the
ordinary.  We're using a pretty close to stock Debian config for all of
this, with some minor tuning for indexing options and cache size, but
that's about it.  The ACL's are the stock ones, so I really don't know
what's falling over here.  Anybody have any ideas what to debug next?

|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Michael Loftis
Modwest Sr. Systems Administrator
Powerful, Affordable Web Hosting
GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E

Reply to: