LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Fedora (https://www.linuxquestions.org/questions/fedora-35/)
-   -   ldap as auth server, users sometimes unknown ?? (https://www.linuxquestions.org/questions/fedora-35/ldap-as-auth-server-users-sometimes-unknown-359593/)

rhoekstra 09-02-2005 03:10 PM
ldap as auth server, users sometimes unknown ??
 
Since upgrading my FC3 to FC4, this problem is occurring even more than it already did.. I am curious if there is something I am doing wrong . . .

The case is this.

I have LDAP as my authentication server. Currently, as for testing purposes, my own user account is the ONLY one that doesn't exist in the local passwd / shadow files, so my own account fully relies on the LDAP authentication server to function right. The other users DO have passwd/shadow accounts, so luckily I am the only one having this issue.

As I log on to my machine (which works fine) I often do some sudo actions or even a 'su -'. but sometimes it says that user account 500 doesn't exist in the passwd file (true, 500 is located in LDAP instead).

When doing a directory listing, I see files are owned by 500 instead of my user name.

This, until I do a 'w', or 'who' which resolves my name correctly, after which I CAN do the sudo / su - / directory listing with the desired results.

I do have nscd running and the LDAP authentication IS working correctly. I have my LDAP server secured with TLS / SSL, so perhaps there is some certification problem ??

What to do to debug this problem, does anybody have (had) this same issue? does it sound ANY familiar??

Thanks in advance for any pointers you could provide.

PenguinPwrdBox 09-04-2005 01:16 AM
If I had to guess, I would vote nscd.
One thing I would try:
Code:
watch --interval=.1 "getent passwd | grep username"
This will allow you to see in tenth of a second intervals what PAM sees via NIS.

If you are having some sort of a caching issue, this may point it out to you. If it goes blank - you've lost the entry in the cache. See how long it remains missing.
If it is indefinite, I would bounce nscd, and see if it comes back.
It could be the lag for your LDAP query. What is your pam_login_attribute set to?

rhoekstra 09-05-2005 01:39 AM
I tried the watch, and it showed nicely the username.. wasn't able to catch a fault.


I didn't have any pam_login_attribute set in my /etc/ldap.conf or /etc/openldap/ldap.conf (don't know the exact difference in use between these two?

I have set them to 'uid' though, as in my LDAP server the users are in uid=<name,ou=People,dc=<domain>,dc=<tld>


All times are GMT -5. The time now is 03:24 PM.