Re: [nssldap] id: cannot find name for user ID XXXX
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] id: cannot find name for user ID XXXX
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: "ccyen" <ccyen [at] ascc.net>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] id: cannot find name for user ID XXXX
- Date: Wed, 31 Jan 2007 09:40:15 +0200
On Wednesday 31 January 2007 05:13, ccyen wrote:
> Dear All
>
> I have searched all archived maillist although I found some
> similar cases and soultions but no work.
>
> I have added rootbinddn in /etc/ldap.conf and put the manager's password in
> /etc/ldap.secret.
So, binddn and bindpw are not set in /etc/ldap.conf, so nss queries as
non-root will use anonymous binds.
>
> I add these setting in nsswitch.conf
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> So I could login to the ldap client with root(local authentication) and get
> no error.
> And I(root) could get the correct information when I using the command
> "finger alex" .
>
>
> Here is the problem....
> When I using the userid "alex" to login to the server with ldap
> authentication, login successfully but get error message "id: cannot find
> name for user ID XXXX"
>
>
> It looks like the ldap client querys from ldap server with insufficient
> permission.
>
> But I(alex) could use the commmand
> ==============================
> ldapsearch -x -D "uid=alex,ou=people,dc=sinica,dc=edu,dc=tw" -W -b
> "uid=alex,ou=People,dc=sinica,dc=edu,dc=tw"
> ==============================
So, you are binding as a user.
> to get the complete information
> (uid,userPassword,shadowLastChange,shadowExpire,loginShell,uidNumber,
> gidNumber,homeDirectory,....) in the ldap client.
>
>
> I think that it's a permission problem when the ldap client querys the user
> infomation from the ldap server but I don't know how to solve this problem.
>
> I have tested it with chmod the files "ldap.conf" and "ldap.secret" to 644
> but no work.
The whole point of ldap.secret is that it can have more restrictive
permissions than /etc/ldap.conf
>
> This it the output of command "strace -s 128 -e open getent passwd alex"
>
> ==================================================================
> open("/etc/ld.so.cache", O_RDONLY) = 3
> open("/lib/tls/libc.so.6", O_RDONLY) = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
> open("/etc/nsswitch.conf", O_RDONLY) = 3
> open("/etc/ld.so.cache", O_RDONLY) = 3
> open("/lib/libnss_files.so.2", O_RDONLY) = 3
> open("/etc/passwd", O_RDONLY) = 3
> open("/etc/ld.so.cache", O_RDONLY) = 3
> open("/lib/libnss_ldap.so.2", O_RDONLY) = 3
> open("/lib/libcom_err.so.2", O_RDONLY) = 3
> open("/lib/libdl.so.2", O_RDONLY) = 3
> open("/lib/libresolv.so.2", O_RDONLY) = 3
> open("/etc/ldap.conf", O_RDONLY) = 3
> open("/etc/ldap.secret", O_RDONLY) = -1 EACCES (Permission denied)
> open("/etc/resolv.conf", O_RDONLY) = 3
> open("/etc/host.conf", O_RDONLY) = 3
> open("/etc/hosts", O_RDONLY) = 3
> open("/etc/openldap/ldap.conf", O_RDONLY) = 3
> open("/user4/center/ccyen/ldaprc", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/user4/center/ccyen/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/etc/hosts", O_RDONLY) = 3
> open("/etc/hosts", O_RDONLY) = 3
> open("/etc/ld.so.cache", O_RDONLY) = 3
> open("/lib/libnss_dns.so.2", O_RDONLY) = 3
> Process 24158 detached
> =====================================================================
>
> I have checked the ldap.log,
> I think there are two sections in that log.
>
> In the first section,ldap client query the ldap server to check the user
> passwd and to get some user information with rootbinddn"
>
> In the second section,ldap client query the ldap server with bind db=""!!!
>
> I don't know why it is empty,and I think it's the main reason.
Because the purpose of the rootbinddn is for operation as root.
> The ldap client uses the empty(anonymous?) bind dn to query ldap server!!!
> Of courese the ldap client found nothing.
>
> Could you give me any suggestions?
Either use nscd (which runs as root) to "proxy" queries from non-root users,
or allow anonymous searches, or use a "proxy" server (binddn, bindpw, or via
gssapi) in /etc/ldap.conf.
Regards,
Buchan
--
Buchan Milne
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
