passwd_compat: ldap?
Brian Jones
jonesy at CS.Princeton.EDU
Thu Jan 29 03:32:42 UTC 2004
Hi,
I got it working - thanks. I *was* using getent, and I was still getting
back info about users not listed in /etc/passwd (using +user). I then
noticed (after I had already sent my earlier mail) that all of them were
listed with shell '/bin/false'. I had a line '+::::::/bin/false' as the
last line in /etc/passwd, and wasn't reading the complete output from
getent. Once I noticed that I was able to troubleshoot things rather
quickly.
Thanks again for your help.
brian.
On Wed, 2004-01-28 at 15:23, Nalin Dahyabhai wrote:
> On Wed, Jan 28, 2004 at 01:47:35PM -0500, Brian K. Jones wrote:
> > I've asked this question before, and on several other mailing lists, but
> > no answer yet.
> >
> > I want to be able to authenticate users using 'compat' against an ldap
> > directory, such that this notation works (in nsswitch.conf)
> >
> > passwd: compat
> > passwd_compat: ldap
> >
> > I've heard rumours that this does work in RHEL 3, so I'm trying to
> > figure out what the magic incantation is to get it working in FC 1.
> > Under FC1, the syntax in nsswitch doesn't cause an error - but it
> > doesn't enforce the '+username' notation in /etc/passwd either -
> > anyone with a valid account on the ldap server gets in. Presumably,
> > this is a glibc-specific, and not a nss_ldap-specific issue, since
> > libnss_compat is bundled with glibc.
>
> First, check that you have glibc 2.3.2-58 or newer -- its changelog
> suggests that this is a minimum. Then, bypass login and check what
> applications get from glibc to make sure you understand what's going on
> (i.e., start with the basics and work your way up).
>
> Do that by running "getent passwd" to get the entire list of users which
> are visible to your system. Or try "getent passwd username" to check if
> applications can look up information about a particular user. Check
> this both as "root" and as an unprivileged user to make sure you don't
> have a permissions problem somewhere on the client system.
>
> If that all works (and it did on my test box), then the problem may be
> something else.
>
> HTH,
>
> Nalin
>
More information about the fedora-list
mailing list