On Mon, 27 Sep 2004 14:58:23 -0700, Mark <msalists@xxxxxxx> wrote: > Hi, > > I have LDAP setup to do userid, groupid and password handling for me. > I added "ldap" to 3 categories in nsswitch: passwd, shadow and group > Do I need to add LDAP to any others? > > The problem I have is the following: > I can logon with a user (for example bob) that is setup in the LDAP > directory and does not exist locally. > When bob logs in, there is are error messages saying : > id: cannot find name for user ID 20002 > id: cannot find name for group ID 20001 > id: cannot find name for group ID 20003 > id: cannot find name for group ID 20002 > id: cannot find name for group ID 20000 > > If bob does "finger bob" or "groups bob", it says no such user. > > If root does "finger bob" or "groups bob", everything comes up fine. > > Is this a permission problem that prevents users other than root to use > LDAP? > > I have the same setup on a different machine using the same LDAP server > where I do not have this problem. > When I logon as bob and do an ldapsearch on "uid=bob" or "cn=bobsgroup" I > get the same result as root gets for these queries, so the problem must be > the part that receives the LDAP result and does the user/group handling > accordingly. > > The 3 files I modifed for this setup are ldap.conf nsswitch.conf and > pam.d/system-auth . Is there any other file involved in this process? > > Thanks, > > MARK > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > I'm assuming you are using openldap as the ldap server? what does your ldap.conf file look like? (would be helpful to post it, don't you think?) check /etc/pam.d/system-auth and make sure it look something like this. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so this can be done by using the system-configure-authentication tool Yang
