passwd_compat: ldap?

Brian Jones jonesy at CS.Princeton.EDU
Thu Jan 29 03:32:42 UTC 2004


Hi, 

I got it working - thanks. I *was* using getent, and I was still getting
back info about users not listed in /etc/passwd (using +user). I then
noticed (after I had already sent my earlier mail) that all of them were
listed with shell '/bin/false'. I had a line '+::::::/bin/false' as the
last line in /etc/passwd, and wasn't reading the complete output from
getent. Once I noticed that I was able to troubleshoot things rather
quickly. 

Thanks again for your help. 
brian.

On Wed, 2004-01-28 at 15:23, Nalin Dahyabhai wrote:
> On Wed, Jan 28, 2004 at 01:47:35PM -0500, Brian K. Jones wrote:
> > I've asked this question before, and on several other mailing lists, but 
> > no answer yet.
> > 
> > I want to be able to authenticate users using 'compat' against an ldap 
> > directory, such that this notation works (in nsswitch.conf)
> > 
> > passwd: compat
> > passwd_compat: ldap
> > 
> > I've heard rumours that this does work in RHEL 3, so I'm trying to
> > figure out what the magic incantation is to get it working in FC 1.
> > Under FC1, the syntax in nsswitch doesn't cause an error - but it
> > doesn't enforce the '+username' notation in /etc/passwd either -
> > anyone with a valid account on the ldap server gets in. Presumably,
> > this is a glibc-specific, and not a nss_ldap-specific issue, since
> > libnss_compat is bundled with glibc.
> 
> First, check that you have glibc 2.3.2-58 or newer -- its changelog
> suggests that this is a minimum.  Then, bypass login and check what
> applications get from glibc to make sure you understand what's going on
> (i.e., start with the basics and work your way up).
> 
> Do that by running "getent passwd" to get the entire list of users which
> are visible to your system.  Or try "getent passwd username" to check if
> applications can look up information about a particular user.  Check
> this both as "root" and as an unprivileged user to make sure you don't
> have a permissions problem somewhere on the client system.
> 
> If that all works (and it did on my test box), then the problem may be
> something else.
> 
> HTH,
> 
> Nalin
> 





More information about the fedora-list mailing list