Re: Strabge LDAP problem

[Jose Alberto Guzman <jguzman@iteso.mx>]

 There's an explanation of this issue and some suggested workarounds on 
the (upstream) ldap-pam list, basically as finger knows nothing about 
ldap, it's better to substitute the 'finger' command with some 
perl/python/shell script that does the same but queries the ldap server 
directly.

http://www.netsys.com/pamldap/2001/09/msg00003.html


 I remember reading about a 'proper' solution to this issue, but can't 
find the thread on the list, anyway we've been using our own finger 
substitute for quite a long time with no problems.


PS.
 Please reply to the list

Michael Loftis wrote:
> augh disregard my last...sound slike you got that done.  long day over 
> here already.
>
> can you turn up debugging on your slapd?  loglevel 256 or loglevel 512 
> are VERY helpful, they log what searches are run--one or both does i 
> can't remember...this way you can find out whats up.
>
> --On Tuesday, March 23, 2004 23:06 -0500 Stephen Gran <sgran@debian.org> 
> wrote:
>
> > Hello all,
> >
> > I am having the strangest LDAP issue.  We recently migrated a network
> > from a hodgepdge of system accounts to an all LDAP setup, with the
> > exception of a few administrative accounts.  All seems to be working
> > well, except for one thing - finger.  id returns the expected values,
> > users can log in, mail gets accepted and delivered, everything I can
> > think of to check works fine, except finger.
> >
> > Even stranger:
> > finger -m $user returns expected results, although finger $user returns
> > 'no such user'.  Aha! I said - an indexing problem , or perhaps nscd.
> > Responses coming back too slow for finger.  Messed about with different
> > indexing schemes (they are currently this:
> >
> > index gecos,cn,uid pres,eq,sub
> > index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq
> >
> > for an ldif of:
> >
> > dn: uid=$user,ou=People,dc=ccil,dc=org
> > objectClass: top
> > objectClass: ccilAccount
> > objectClass: posixAccount
> > objectClass: ccilAddress
> > objectClass: ccilWorkAddress
> > objectClass: ccilPerson
> > cn: Some Guy
> > uid: $user
> > uidNumber: 11709
> > gidNumber: 100
> > homeDirectory: /home/u/$user
> > l: Smalltown
> > st: PA
> > postalCode: 12345
> > userPassword:: <secret>
> > loginShell: /bin/bash
> > gecos: Some Guy
> > pppAccess: TRUE
> > emailAccess: TRUE
> > registered: Oct 30 22:23:16 2001
> > street: 1224 Main St.
> > bday: 01-02-03
> > telephoneNumber: 215-555-1212
> > education: College Graduate
> > gender: Blank
> >
> > (names changed to protect the innocent))
> >
> > Changing indexing options, running slapindex over and over, no help.
> >
> > By accident, I reran finger in my root session that was kept open as an
> > "I hope I don't hose something" backup plan, and it worked.  Now I start
> > to think ACL's, nscd permissions, etc, but I see nothing out of the
> > ordinary.  We're using a pretty close to stock Debian config for all of
> > this, with some minor tuning for indexing options and cache size, but
> > that's about it.  The ACL's are the stock ones, so I really don't know
> > what's falling over here.  Anybody have any ideas what to debug next?
> >
> > TIA,
> > --
> >  -----------------------------------------------------------------
> > |   ,''`.                         Stephen Gran |
> > |  : :' :                     sgran@debian.org |
> > |  `. `'            Debian user, admin, and developer |
> > |    `-                        http://www.debian.org |
> >  -----------------------------------------------------------------
>
>
>
>
> --
> Michael Loftis
> Modwest Sr. Systems Administrator
> Powerful, Affordable Web Hosting
> GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E