Date: Thu, 25 May 2006 20:40:31 -0500 From: Vulpes Velox <v.velox@vvelox.net> To: freebsd-questions@freebsd.org Subject: Re: Trouble with nss|pam|openldap Message-ID: <20060525204031.05600c94@vixen42.vulpes> In-Reply-To: <df9ac37c0605240740o67ef8622s8c58c659ce264520@mail.gmail.com> References: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> <df9ac37c0605231748n4e3abbb4he8829f2edfe264dc@mail.gmail.com> <71C11F58-32D9-4EBF-B35E-F1730184B706@lixfeld.ca> <df9ac37c0605240740o67ef8622s8c58c659ce264520@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 May 2006 07:40:37 -0700 "Atom Powers" <atom.powers@gmail.com> wrote: > On 5/24/06, Jason Lixfeld > <jason+lists.freebsd-questions@lixfeld.ca> wrote: > > On 23-May-06, at 8:48 PM, Atom Powers wrote: > > > > I have no all.log currently. The only thing showing up in > > messages though is: > > > > You have to enable all.log in syslog.conf, and then "touch > /var/log/all.log". I always turn this on because it can catch > messages that are not configured to go to another log file, and > sometimes it's nice to have all your logs in one place. But if you > have a noisy service it can fill your file system. > > > May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP > > server - Server is unavailable > > > > That error seems to creep up only when I restart slapd though. > > > > >> > > >> I searched through the bugs and it seems there is a bug in > > >> nss_ldap with regards to getpwuid, but that seems to be more > > >> if an indicator about why finger doesn't work, not why ssh > > >> does't work > > >> > > >> # id testuser seems to work, finger doesn't. Curious. > > >> Anyway, it still appears as though at least some portions of > > >> the system are using LDAP, which is good. > > >> $ id testuser > > >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) > > >> $ finger testuser > > >> finger: testuser: no such user > > >> $ > > > > > > id works because it's using the name service to look up the > > > user (you added ldap to your nsswitch.conf, right?) > > > > > > finger doesn't work because you don't have a /etc/pam.d/finger > > > file. Either create one or add pam_ldap to > > > your /etc/pam.d/system file. (I always create a new conf file > > > for my ldap enabled apps) > > On reflection I may be way off base with this. finger doesn't run > *as* another user, and you don't log into finger. So it shouldn't > need a pam.d file. > > Finger doesn't work for ldap accounts on my systems. > > > Interesting. Finger *did* work during some of my first attempts > > at getting this working. I changed something (I don't recall > > what) and then finger stopped working. > > > > This seems to all work now with built-in ssh. How strange. > > > > Now, I seem to have hit another snag and a bug (Both of which I > > remember reading about this in my travels:) > > > > $id testuser > > id: testuser: no such user > > # sudo su > > Password: > > # id testuser > > uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) > > # cd ~testuser > > # pwd > > /usr/home/testuser > > #ssh testuser@localhost > > %id testuser > > id: testuser: no such user > > %pwd > > /usr/home/testuser > > %ls -al > > Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != > > NULL), function do_init, file ldap-nss.c, line 1193. > > Abort (core dumped) > > % > > > > I don't seem to have this problem: > > apowers@DIT793:~$finger apowers > finger: apowers: no such user > apowers@DIT793:~$id apowers > uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) > apowers@DIT793:~$ssh localhost > Password: > > FreeBSD 6.1-RELEASE (SMP) #0: Sun May 7 04:42:56 UTC 2006 > apowers@DIT793:~$id apowers > uid=1133(apowers) gid=1133(apowers) groups=1133(apowers), 0(wheel) > apowers@DIT793:~$pwd > /home/apowers > apowers@DIT793:~$ls -al > total 53216 > <snip> > > What does your nsswitch.conf look like? > I have: > #nsswitch.conf > group: files ldap > hosts: files dns > networks: files > passwd: files ldap > shells: files On this note you may want to do something like this. I found this helps things along nicer at startup. group: files [success=return notfound=continue unavail=continue tryagain=continue] ldap passwd: files [success=return notfound=continue unavail=continue tryagain=continue] ldap I though that was the default, but startup goes a bit quicker with it like that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060525204031.05600c94>