[Date Prev][Date Next]
Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
-----BEGIN PGP SIGNED MESSAGE-----
> It was obvious that he was not asking "why doesn't my pam_ldap talk to my OpenLDAP server."
> Missing elements from the user objects is a *data* problem, it is not an interoperability problem. He would have the same issue whether the server was OpenLDAP, Oracle, or M$AD. It has nothing to do with OpenLDAP, and a careful reader would have known all of this. If you're not reading carefully, you should not be responding to the posts.
Infact, it wouldn't matter if the backend was M$AD or not. You can still use the OpenLDAP client libraries to talk to AD. It is still thusly, an OpenLDAP related question, where the user does not know where to look from here, and they personally did not know, it was NOT the fault of OpenLDAP or pam_ldap but rather of nsswitch.
The fact of the matter, is that not everyone knows everything, or they may have missed something in research etc. It is hard to find a man page, if you don't know what you are looking for. Google also is not perfect. This person did not know about nsswitch and its requirement, merely believing that the key parts of this issue were either OpenLDAP or pam_ldap. We have more experience to know this is not the case. He did not. He asked where he though the most experience would be - here and rightly so as well, since we were able to tell him "look at nsswitch, rather than OpenLDAP or pam_ldap".
This comes down far more to what he was asking about (and his limited experience), and your perception of it, rather than "what is allowed and what is not".
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
-----END PGP SIGNATURE-----