[ale] LDAP Authentication Issue

Sam Davis aracthabar at gmail.com
Wed May 14 14:02:26 EDT 2014 

In this situation, I am just talking about ssh access to the machine.  
The account works for a while then stops working, but not on every 
machine at the same time.  It may work on machine X for a few days 
before it stops, while machine Y works continuously.  Sometimes the 
account is not there at all (i.e. an 'id username' returns 'Unknown id: 
username') and sometimes the account is there, but the group membership 
isn't. In all cases, shutting down nslcd, waiting a sec, and restarting 
it has fixed the problem.

Sam


On 05/14/2014 01:51 PM, JD wrote:
> On 05/14/2014 01:34 PM, JD wrote:
>> On 05/14/2014 11:59 AM, Sam Davis wrote:
>>> Hello All,
>>>
>>>      I have to admit, I really don't know where to begin on this. LDAP has never
>>> been my strong suit.  We use LDAP authentication for most of our servers.  We
>>> have one user for whom the client machines seem to forget about.  In order to
>>> restore his account's functionality, I have to stop and then start nslcd.
>>> Sometimes the client machines do not even realize his account exists, sometimes
>>> it knows the account exists, but doesn't assign the correct group memberships.
>>> Other accounts are not impacted by this.  Does anyone have any idea where to
>>> even begin looking into an issue like this?
>> I would look for conflicts between local accounts and the LDAP settings.
>>
> And differences in allowed userid/passwords between the different systems.
> We've used LDAP here for years, but I got burned when 1 webapp had a 32
> character limit on password entries, but my normal passwords were 60+ characters
> (yes, I use a password manager).  I used the same password across 7 different
> systems just fine, but 1 never worked. It was too long.  This was strictly a
> password entry issue since LDAP was performing the authentication.
>
> Could also be that certain characters are allowed on the password change screen,
> but not by specific login pages. In theory, this should be less and less a
> problem. I haven't seen it in years.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list