Re: [Auth] 'ident' method and LDAP user accounts

On Thu, March 3, 2005 12:00, Marco Colombo said:
> On Thu, 3 Mar 2005, Stephane Bortzmeyer wrote:
>> On Thu, Mar 03, 2005 at 10:04:32AM +0100,
>> Florian G. Pflug <fgp(at)phlo(dot)org> wrote
>> a message of 114 lines which said:
>>
>>> Might it be that the postgres user is not allowed to read
>>> /etc/ldap.conf - or however your nss_ldap config file is called?
>>
>> myriam:~ % ls -ld /etc/*ldap*
>> drwxr-xr-x 2 root root 4096 Oct 18 17:17 /etc/ldap
>> -rw------- 1 root root 13 Oct 18 17:19 /etc/ldap.secret
>> -rw-r--r-- 1 root root 8442 Oct 18 17:27 /etc/libnss-ldap.conf
>> -rw-r--r-- 1 root root 7070 Oct 18 17:19 /etc/pam_ldap.conf
>>
>>> I'd try su-ing to the postgres user, and check if everything (ls -l
>>> /home, ... - you get the idea) works as expected.
>>
>> It does:
>> myriam:~ % id
>> uid=104(postgres) gid=108(postgres) groups=108(postgres)
>>
>> myriam:~ % ls -l /home/bortzmeyer
>> total 68
>> drwxr-sr-x 3 bortzmeyer staff 4096 Nov 19 11:47 AFGNIC
>>
>> While "bortzmeyer" is not on /etc/passwd, only in LDAP.
>>
>> So, we still have a mystery :-(
Seems so.. you could try to start the postmaster via strace -f, and
capture the log
("strace -f <postmaster> -- <postmaster-opts>" 2>&1 > /tmp/postmaster.strace)

Then try to connect, and see what happens - you should see the postmaster
open your pam_ldap.conf, and then try to connect to your ldap server.
Maybe you find some hint in the strace log on whats going on...

Maybe it's also worth trying to start the postmaster by hand - the
init-script might set some different env-variables or paths than what you
have set in an interactive shell...

> Does Debian include and activate SELinux?
There are selinux-versions of debian, but in vanilla debian/sarge (and
debian/woody, and debian/sid), there is no selinux support - at least, I
never stumbled upon this, and I use quite a few debian machines).

greetings, Florian Pflug