Re: --disable-nslcd, nssov, and local user lookups

[Ryan Steele <ryans [at] aweber.com>]

Arthur,

I don't think simply preventing nslcd from running is going to work for me.  
Every time I would open a session with sudo/su, I got these messages to stdout:

root@myhost:~# su - myuser
LDAP open session failed
myser@myhost:~$ logout
LDAP clode session failed
myuser@mongo:~$ sudo su -
LDAP Password: 
LDAP open session failed
LDAP clode session failed
LDAP open session failed

The sudo/su will work, but obviously that behavior is not desirable and is 
confusing for users.  When I inspected auth.log, I found messages like this:

Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:account): ; user=myuser
Jun 29 15:49:56 myhost su[26551]: Successful su for myuser by root
Jun 29 15:49:56 myhost su[26551]: + /dev/pts/0 root:myuser
Jun 29 15:49:56 myhost su[26551]: pam_unix(su:session): session opened for user 
myuser by root(uid=0)
Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): error reading from 
nslcd: No such file or directory
Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): Authentication service 
cannot retrieve authentication info; user=myuser
Jun 29 15:49:58 myhost su[26551]: pam_unix(su:session): session closed for user 
myuser
Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): error reading from 
nslcd: Connection reset by peer
Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): Authentication service 
cannot retrieve authentication info; user=myuser


I'm thinking of attempting a build that doesn't include nslcd (perhaps that's 
why slapo-nssov mentions it?), unless you know of another way to prevent 
pam_ldap from throwing errors like this (presumably because nslcd isn't 
running, although the /var/run/nslcd/socket file created by nssov does exist).

Cheers,
Ryan

Arthur de Jong wrote:
> On Wed, 2012-06-13 at 07:20 -0400, Ryan Steele wrote:
>>> Btw, out of curiosity, why are you building custom Debian packages?
>> The nssov docs
>> (http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/nssov/README?rev=1.10&hideattic=1&sortbydate=0)
>>  make a reference to building nss-pam-ldapd without nslcd since it's not 
>> needed.  I didn't want to run the risk of using the packages that leave it 
>> in and then not use it, potentially introducing some sort of dependency on a 
>> running nslcd that would never be satisfied.
> 
> You could just install the libnss-ldapd and libpam-ldapd packages and
> either not install nslcd (perhaps use equivs to handle the dependencies)
> or install it but disable it by putting "exit 0" in /etc/default/nslcd.
> That way you will still get automatic updates of the packages. 
> 
> The --disable-nslcd option doesn't change anything in the NSS and PAM
> modules. It only causes the nslcd binary not to be built (you don't need
> development headers of OpenLDAP, etc. installed to compile it).
> 
>> I did have one other question: since I won't be using nslcd, are the
>> libnss-ldapd options that would have been set in /etc/nslcd.conf now
>> configured via the nssov overlay instead of /etc/nslcd.conf, provided
>> the options are available (I know that some are not, e.g. the
>> nss_initgroups_ignoreusers option)?
> 
> I don't have much first-hand experience with nssov but nslcd.conf only
> affects how nslcd works so anything you configured there before should
> be configured in nssov. The NSS modules doesn't have any configuration
> and the PAM module is only configured through the command line (see the
> pam_ldap(8) manual page for details).
> 
> I think that if you using caching or replication together with nssov you
> shouldn't need nss_initgroups_ignoreusers because the slowdown during
> boot you could have with nss_ldap don't happen if nslcd or nssov aren't
> running. If nslcd is only started after networking or nssov always has
> cached data available it should also be pretty fast.
> 
> 
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/