Trouble with nss|pam|openldap
Atom Powers
atom.powers at gmail.com
Wed May 24 07:40:41 PDT 2006
On 5/24/06, Jason Lixfeld <jason+lists.freebsd-questions at lixfeld.ca> wrote:
> On 23-May-06, at 8:48 PM, Atom Powers wrote:
>
> I have no all.log currently. The only thing showing up in messages
> though is:
>
You have to enable all.log in syslog.conf, and then "touch
/var/log/all.log". I always turn this on because it can catch messages
that are not configured to go to another log file, and sometimes it's
nice to have all your logs in one place. But if you have a noisy
service it can fill your file system.
> May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP
> server - Server is unavailable
>
> That error seems to creep up only when I restart slapd though.
>
> >>
> >> I searched through the bugs and it seems there is a bug in nss_ldap
> >> with regards to getpwuid, but that seems to be more if an indicator
> >> about why finger doesn't work, not why ssh does't work
> >>
> >> # id testuser seems to work, finger doesn't. Curious. Anyway, it
> >> still appears as though at least some portions of the system are
> >> using LDAP, which is good.
> >> $ id testuser
> >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
> >> $ finger testuser
> >> finger: testuser: no such user
> >> $
> >
> > id works because it's using the name service to look up the user (you
> > added ldap to your nsswitch.conf, right?)
> >
> > finger doesn't work because you don't have a /etc/pam.d/finger file.
> > Either create one or add pam_ldap to your /etc/pam.d/system file. (I
> > always create a new conf file for my ldap enabled apps)
On reflection I may be way off base with this. finger doesn't run *as*
another user, and you don't log into finger. So it shouldn't need a
pam.d file.
Finger doesn't work for ldap accounts on my systems.
> Interesting. Finger *did* work during some of my first attempts at
> getting this working. I changed something (I don't recall what) and
> then finger stopped working.
>
> This seems to all work now with built-in ssh. How strange.
>
> Now, I seem to have hit another snag and a bug (Both of which I
> remember reading about this in my travels:)
>
> $id testuser
> id: testuser: no such user
> # sudo su
> Password:
> # id testuser
> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
> # cd ~testuser
> # pwd
> /usr/home/testuser
> #ssh testuser at localhost
> %id testuser
> id: testuser: no such user
> %pwd
> /usr/home/testuser
> %ls -al
> Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL),
> function do_init, file ldap-nss.c, line 1193.
> Abort (core dumped)
> %
>
I don't seem to have this problem:
apowers at DIT793:~$finger apowers
finger: apowers: no such user
apowers at DIT793:~$id apowers
uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel)
apowers at DIT793:~$ssh localhost
Password:
FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006
apowers at DIT793:~$id apowers
uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel)
apowers at DIT793:~$pwd
/home/apowers
apowers at DIT793:~$ls -al
total 53216
<snip>
What does your nsswitch.conf look like?
I have:
#nsswitch.conf
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
--
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
More information about the freebsd-questions
mailing list