[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: nss_ldap questions



Thanks for your quick reply... I have answered your questions in line.

Peter Bowen wrote:
On Thu, 2003-02-06 at 17:33, Tommy McNeely wrote:

I have a standing open bug against nss_ldap.. I just "re-assigned" it today because I noticed the QA contact needed changed to "jturner" instead of "abrown" ... but I have a question regarding the problems below... this question should really apply to ANY naming service, but LDAP probablly just gives me the ability to SEE the problem??

-
Problem 1: $ id mailman
** searches in ldap for the user.. even though they are in /etc/passwd and /etc/group ... I have filed bug # 633717 against that (yes it starts with a 6 thats how old it is) ... as far as I can tell no one at redhat seems to care .. its still in "new" state.


This is correct.  It is valid to get a mix of groups from files and
ldap.


<the way I understand it>


[root invaderzim root]# grep -A 3 ^passwd /etc/nsswitch.conf
passwd:     files nisplus ldap
shadow:     files nisplus ldap
group:      files nisplus ldap


look in files first.. if a match is found ... STOP, otherwise keep going?? not sure why nisplus is there.. this is the default file except for the services line below.
</the way I understand it>


If I take "nisplus ldap" off the line.. it works as expected: only local users can be found via finger/id (nss) but pam still tries to authenticate via ldap (although it appearantly fails)

I currently am watching it do queries for "nscd" with "passwd: files ldap"



maybe I need something like [FOUND=return]




*** hehehe .. where did problem2 run off to? :)







Problem 3: (I dont know how to create this problem.. but I see it in ethereal) .. assume some traffic hits tcp port xxxx .. the port is arbitrary in the example below.
** searches in ldap for (&(objectclass=ipService)(ipServicePort=47205)(ipServiceProtocol=tcp))
now... that is a decent search.. but this goes back to number one above.. WHY is it looking in LDAP when /etc/nsswitch.conf says to look in files ONLY??


Which items in nsswitch.conf have ldap as an option?

ooo I thought you had caught me there.. I missed protocols originally.. but even with that one "fixed" it still seems to get about one entry like this PER ldap search... I really can't generate them any other way.. its like when the information comes back from the ldap server it has to try to figure out what it is :-/


[root invaderzim etc]# grep ldap /etc/nsswitch.conf | grep -v ^\#
passwd: files ldap
shadow: files ldap
group: files ldap
netgroup:   files nisplus ldap
automount:  files nisplus ldap
[root invaderzim etc]#

(hmm theres that nisplus again) .. nothing there really points out to search in ldap for services/protocols to me :-/

any suggestions?



Is there some other config file other that /etc/nsswitch.conf that I am just not aware of??


Authentication is done through pam, but that doesn't sound like where
you are having problems.

Yea.. that is a different bug entirely... if the ldap server is unreachable, not even root can login... this poses a problem if you are a laptop user, or in the off chance the ldap server is unavailable. On a side note, does linux support having more than one ldap auth server yet?


Tommy



Thanks. Peter




-- Tommy McNeely -- Tommy McNeely Sun COM Sun Microsystems - IT Ops - Broomfield Campus Support Phone: x50888 / 303-464-4888 -- Fax: 720-566-3168





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]