[ale] LDAP Authentication Issue

Jim Kinney jim.kinney at gmail.com
Wed May 14 14:30:27 EDT 2014 

look to see if the nscd (NOT nslcd) is the issue. The nscd can cache
password, group, and host data. If it is in use AND has an issue with
corruption or lost connection, the cache will timeout and user connection
will fail.

But as it's only a single user, I would change their UID (and on all their
stuff - so this is non-trivial) and have then retry.


On Wed, May 14, 2014 at 2:02 PM, Sam Davis <aracthabar at gmail.com> wrote:

> In this situation, I am just talking about ssh access to the machine.  The
> account works for a while then stops working, but not on every machine at
> the same time.  It may work on machine X for a few days before it stops,
> while machine Y works continuously.  Sometimes the account is not there at
> all (i.e. an 'id username' returns 'Unknown id: username') and sometimes
> the account is there, but the group membership isn't. In all cases,
> shutting down nslcd, waiting a sec, and restarting it has fixed the problem.
>
> Sam
>
>
>
> On 05/14/2014 01:51 PM, JD wrote:
>
>> On 05/14/2014 01:34 PM, JD wrote:
>>
>>> On 05/14/2014 11:59 AM, Sam Davis wrote:
>>>
>>>> Hello All,
>>>>
>>>>      I have to admit, I really don't know where to begin on this. LDAP
>>>> has never
>>>> been my strong suit.  We use LDAP authentication for most of our
>>>> servers.  We
>>>> have one user for whom the client machines seem to forget about.  In
>>>> order to
>>>> restore his account's functionality, I have to stop and then start
>>>> nslcd.
>>>> Sometimes the client machines do not even realize his account exists,
>>>> sometimes
>>>> it knows the account exists, but doesn't assign the correct group
>>>> memberships.
>>>> Other accounts are not impacted by this.  Does anyone have any idea
>>>> where to
>>>> even begin looking into an issue like this?
>>>>
>>> I would look for conflicts between local accounts and the LDAP settings.
>>>
>>>  And differences in allowed userid/passwords between the different
>> systems.
>> We've used LDAP here for years, but I got burned when 1 webapp had a 32
>> character limit on password entries, but my normal passwords were 60+
>> characters
>> (yes, I use a password manager).  I used the same password across 7
>> different
>> systems just fine, but 1 never worked. It was too long.  This was
>> strictly a
>> password entry issue since LDAP was performing the authentication.
>>
>> Could also be that certain characters are allowed on the password change
>> screen,
>> but not by specific login pages. In theory, this should be less and less a
>> problem. I haven't seen it in years.
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140514/baa4188f/attachment.html>

More information about the Ale mailing list