LDAP problem (caused by permissions?)

Yang Xiao yxiao2004 at gmail.com
Wed Sep 29 00:00:32 UTC 2004


On Mon, 27 Sep 2004 14:58:23 -0700, Mark <msalists at gmx.net> wrote:
> Hi,
> 
> I have LDAP setup to do userid, groupid and password handling for me.
> I added "ldap" to 3 categories in nsswitch: passwd, shadow and group
> Do I need to add LDAP to any others?
> 
> The problem I have is the following:
> I can logon with a user (for example bob) that is setup in the LDAP
> directory and does not exist locally.
> When bob logs in, there is are error messages saying :
> id: cannot find name for user ID 20002
> id: cannot find name for group ID 20001
> id: cannot find name for group ID 20003
> id: cannot find name for group ID 20002
> id: cannot find name for group ID 20000
> 
> If bob does "finger bob" or "groups bob", it says no such user.
> 
> If root does "finger bob" or "groups bob", everything comes up fine.
> 
> Is this a permission problem that prevents users other than root to use
> LDAP?
> 
> I have the same setup on a different machine using the same LDAP server
> where I do not have this problem.
> When I logon as bob and do an ldapsearch on "uid=bob" or "cn=bobsgroup" I
> get the same result as root gets for these queries, so the problem must be
> the part that receives the LDAP result and does the user/group handling
> accordingly.
> 
> The 3 files I modifed for this setup are ldap.conf nsswitch.conf and
> pam.d/system-auth . Is there any other file involved in this process?
> 
> Thanks,
> 
> MARK
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 

I'm assuming you are using openldap as the ldap server?
what does your ldap.conf file look like? (would be helpful to post it,
don't you think?)
check /etc/pam.d/system-auth and make sure it look something like this.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so


this can be done by using the system-configure-authentication tool

Yang




More information about the fedora-list mailing list