Trouble with nss|pam|openldap
Vulpes Velox
v.velox at vvelox.net
Thu May 25 18:40:33 PDT 2006
On Wed, 24 May 2006 07:40:37 -0700
"Atom Powers" <atom.powers at gmail.com> wrote:
> On 5/24/06, Jason Lixfeld
> <jason+lists.freebsd-questions at lixfeld.ca> wrote:
> > On 23-May-06, at 8:48 PM, Atom Powers wrote:
> >
> > I have no all.log currently. The only thing showing up in
> > messages though is:
> >
>
> You have to enable all.log in syslog.conf, and then "touch
> /var/log/all.log". I always turn this on because it can catch
> messages that are not configured to go to another log file, and
> sometimes it's nice to have all your logs in one place. But if you
> have a noisy service it can fill your file system.
>
> > May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP
> > server - Server is unavailable
> >
> > That error seems to creep up only when I restart slapd though.
> >
> > >>
> > >> I searched through the bugs and it seems there is a bug in
> > >> nss_ldap with regards to getpwuid, but that seems to be more
> > >> if an indicator about why finger doesn't work, not why ssh
> > >> does't work
> > >>
> > >> # id testuser seems to work, finger doesn't. Curious.
> > >> Anyway, it still appears as though at least some portions of
> > >> the system are using LDAP, which is good.
> > >> $ id testuser
> > >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
> > >> $ finger testuser
> > >> finger: testuser: no such user
> > >> $
> > >
> > > id works because it's using the name service to look up the
> > > user (you added ldap to your nsswitch.conf, right?)
> > >
> > > finger doesn't work because you don't have a /etc/pam.d/finger
> > > file. Either create one or add pam_ldap to
> > > your /etc/pam.d/system file. (I always create a new conf file
> > > for my ldap enabled apps)
>
> On reflection I may be way off base with this. finger doesn't run
> *as* another user, and you don't log into finger. So it shouldn't
> need a pam.d file.
>
> Finger doesn't work for ldap accounts on my systems.
>
> > Interesting. Finger *did* work during some of my first attempts
> > at getting this working. I changed something (I don't recall
> > what) and then finger stopped working.
> >
> > This seems to all work now with built-in ssh. How strange.
> >
> > Now, I seem to have hit another snag and a bug (Both of which I
> > remember reading about this in my travels:)
> >
> > $id testuser
> > id: testuser: no such user
> > # sudo su
> > Password:
> > # id testuser
> > uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
> > # cd ~testuser
> > # pwd
> > /usr/home/testuser
> > #ssh testuser at localhost
> > %id testuser
> > id: testuser: no such user
> > %pwd
> > /usr/home/testuser
> > %ls -al
> > Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] !=
> > NULL), function do_init, file ldap-nss.c, line 1193.
> > Abort (core dumped)
> > %
> >
>
> I don't seem to have this problem:
>
> apowers at DIT793:~$finger apowers
> finger: apowers: no such user
> apowers at DIT793:~$id apowers
> uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel)
> apowers at DIT793:~$ssh localhost
> Password:
>
> FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006
> apowers at DIT793:~$id apowers
> uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel)
> apowers at DIT793:~$pwd
> /home/apowers
> apowers at DIT793:~$ls -al
> total 53216
> <snip>
>
> What does your nsswitch.conf look like?
> I have:
> #nsswitch.conf
> group: files ldap
> hosts: files dns
> networks: files
> passwd: files ldap
> shells: files
On this note you may want to do something like this. I found this
helps things along nicer at startup.
group: files [success=return notfound=continue unavail=continue tryagain=continue] ldap
passwd: files [success=return notfound=continue unavail=continue tryagain=continue] ldap
I though that was the default, but startup goes a bit quicker with it like that.
More information about the freebsd-questions
mailing list