RE: [nssldap] LDAP Auth

[Nuno Manuel Martins <nuno.mmartins_externo [at] sonae.com>]

Hi,

Thanks for the reply but in the meantime I got a response from the OpenLDAP 
mailing list that nailed the problem for me. For future googlers facing the 
same problem the problem what that LDAP was being able to answer queries based 
on cn attribute but not based on uid attribute due to a indexing problem. 
Stopping OpenLDAP, running slapindex and then starting OpenLDAP again made 
authentication work again.

For some strange reason "getent passwd" still gets the data, so it must 
retrieve that information in some other way. I confess I have no intention to 
look up code to find out :)

A simple way to know if this problem is affecting you is doing a manual search 
on ldap. In my case searching for "uid=myuser" returned no information while 
searching for "uid=myuser*" returned the correct information which was what 
made the problem clear for the OpenLDAP guys.

Regards,
Nuno

-----Original Message-----
From: Andrew Morgan [morgan [at] orst.edu]
Sent: quarta-feira, 16 de Abril de 2008 17:07
To: Nuno Manuel Martins
Cc: nssldap@padl.com
Subject: Re: [nssldap] LDAP Auth

On Wed, 16 Apr 2008, Nuno Manuel Martins wrote:

> Hello list,
>
> I am having a very strange behaviour from my test with OpenLDAP 
> authentication. I tried to follow the HOWTOs online but I encountered an 
> undocumented problem :)
>
> After configuring nssswitch.conf I tried what they asked and did a getent 
> command which returns successfully:
> getent passwd | grep myuser
> myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash
>
> This means that the system can get the proper data from the LDAP directory. 
> However, even before I try authentication I have this problem:
> su - myuser
> su: user myuser does not exist
>
> So anyone knows where su is getting its information from and why it is 
> different from the information on getent?

It looks like you are starting out as root.  Perhaps your ldap.conf file
is only readable by root?

        Andy