fantasygoat |
11-03-2009 04:49 PM |
LDAP login weirdness
I've got LDAP authentication working fine under CentOS 5.4 - users can log in, a home directory is created. But when they log in, they get this:
Quote:
> ssh user.name@testserver
user.name's password:
Creating directory '/home/user.name'.
id: cannot find name for user ID 1009
id: cannot find name for user ID 1009
[I have no name!@testserver ~]$
|
Running "getent passwd" as the user turns up nothing. Also, the user's home directory has the wrong group ID:
Quote:
drwxr-xr-x 2 user.name splunk 4096 Nov 3 13:34 user.name/
|
The LDAP server is configured to allow anonymous reads. Here's my slapd.conf:
Quote:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/ca-cert.pem
TLSCertificateFile /etc/openldap/cacerts/server-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server-key.pem
TLSVerifyClient never
access to *
by dn="cn=Manager,dc=domain,dc=com" write
by self write
by * read
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
rootpw {SSHA}xxxx
directory /var/lib/openldap-data
index objectClass eq
|
Users are restricted from logging in based on /etc/security/access.conf entries by group. The user is a member of the right group:
Quote:
# getent group | grep user
dev-web:*:1506:user.name
|
and the "splunk" group is 506 in the /etc/group file.
All I can find on the error implies it's either a permissions problem on the passwd or group files, which doesn't apply, or anonymous reads must be enabled, which are.
The strange thing is that my user account that can log in fine, which is a member of wheel and also has an ssh key. Not sure if that's relevant.
|