On Thu, 2004-01-08 at 15:30, Bevan C. Bennett wrote: > 4) /etc/ldap.conf has something like > host ldap.domain.com > base dc=domain,dc=com > pam_filter objectclass=posixAccount I'll be d****d. That last line there was commented out and read #pam_filter objectclass=account which I gather is the default. Changing it to agree with your /etc/ldap.conf fixed the problem! This didn't come up in the last version because, following the aforementioned OpenLDAP Everywhere article, my old LDIF's had both "objectclass=account" and "objectclass=posixAccount" for users. The former apparently vanished from the inetorgperson.schema file somewhere between RH8 and FC1, and I removed it from my LDIF files in the transition. > nss_base_passwd ou=People,dc=domain,dc=com?one > nss_base_shadow ou=People,dc=domain,dc=com?one > nss_base_group ou=Groups,dc=domain,dc=com?one How necessary is this? I've got my ou's set to "people" and "group" instead of "People" and "Groups" respectively. Right now everything seems to work but who knows...I suppose I'd better change them too. > Does 'finger ldap_user' list the correct information? Yes, that always worked. > If not it's definately nss_ldap related... possibly due to an incorrect > ssl setting (I think the default may have changed at some point) or an > unhappy nscd. We can exonerate nscd since I don't normally run it. Thanks again, Bevan! Now I can go find my hair and try to glue it back in :-) . -- Stephen Walton <stephen.walton@xxxxxxxx> Dept. of Physics & Astronomy, Cal State Northridge
