Re: Problems with finger

[Scott Gifford <sgifford@tir.com>]

Jonathan Keeling <jmjk2-openldap@srcf.ucam.org> writes:

> I'm attempting to replace NIS by a combination of LDAP and Kerberos, but
> have been having some problems with finger.  Although most commands using
> getpwent succeed (i.e. ls reports the correct usernames for uids, and
> whoami is correct), finger fails for some users. 
> 
> This turned out to be because finger appears (from running strace) to
> just be getting the entries for all users, and filtering them itself,
> and so the sizelimit of 500 caused some users not to appear.  Changing
> sizelimit on the server cures these symptoms, but it seems to me
> to be wrong that finger causes such a large number of queries.
> 
> Does anyone have any experience of why this occurs, and/or how to make
> finger behave more sensibly?

Finger searches both the username field and the GECOS field.  For
example, I have:

    sgifford:x:500:500:Scott Gifford:/home/sgifford:/bin/bash

as my passwd entry.  "finger sgifford", "finger gifford", and "finger
scott" all return this entry.  In order to do partial matches on GECOS
using the traditional UNIX interfaces to the passwd file, using
getpwent(3) to look at every single entry is the only option.

To fix this, you'd really need to use your own finger that used an
LDAP backend.  Umich uses something like this for its student/staff
directory, which works quite well, and OpenLDAP comes with
in.xfingerd, which backends to LDAP.

Hope this helps,

-----ScottG.