Security Software

Having an odd problem with a user being pulled twice from our OUD LDAP Server. To start - I think it's some kind of odd client side issue.

Names have been replaced here with non-identifying 'generics'. But.. this is happening to two users and for each user - on a different server.

User1 - can't login using LDAP to server1 because of this (conversely user2 can login to this server fine)

User2 - can't login using LDAP to server2 because of this (conversely user1 can login to this server fine)

There are numerous other servers they can login to just fine. It's just in this case, where getent passwd and ldaplist pulls the username twice - running 'id' shows a single user in each case, however.

SolarisServer-[root]/var/ldap> id jdoe

uid=8099(jdoe) gid=1099(usergroup)

SolarisServer-[root]/var/ldap> ldaplist -l passwd | grep jdoe

dn: uid=jdoe,ou=usergroup,ou=people,dc=companyxyz,dc=com

        homeDirectory: /home/share/jdoe

        uid: jdoe

dn: uid=jdoe,ou=usergroup,ou=people,dc=companyxyz,dc=com

        homeDirectory: /home/share/jdoe

        uid: jdoe

SolarisServer-[root]/var/ldap> getent passwd | grep jdoe

jdoe:x:8099:1099:John Doe - usergroup:/home/share/jdoe:/bin/ksh

jdoe:x:8099:1099:John Doe - usergroup:/home/share/jdoe:/bin/ksh

I've restarted the service, restarted cache manager, killed the cachemgr processes to 'rebuild' the cache, ran our LDAP script again (uses ldapclient mod to add groups to passwd/shadow).

Very odd problem and can't find the cause at all.

There are also other users in the same groups these two are in and they do not have this problem. Just these two users on these two servers.

Interestingly enough - in user1's case - we removed him from LDAP totally. Waited overnight and re-created his account (same UID/GID) and the problem came right back. We had to create him a new account to get him logged in, because the server impacted he needs for his job. In user2's case - he has access to a local account that works for him.

I have yet to find anything significant in the logs - and I've searched a bunch looking for a similar issue and could only find one that was some Redhat bug that was fixed - so totally unrelated.

I've checked the groups defined in /var/ldap/ldap_client_file and they look ok. All other users can login just fine.

Since other servers pull their account information just fine - I can't think it's a OUD/LDAP server-side issue - but I wanted to post here in case some OUD guru has seen this before - or has an idea of where to look! I'm pretty 'newbie' at LDAP in Solaris.

Thanks for any input!