RSS feed

Re: Configuration Confusion

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Configuration Confusion

On Tue, 2010-04-27 at 09:26 -0400, David Tomaschik wrote:
> I'm trying to replace libnss-ldap with libnss-ldapd, but I'm running 
> into a bit of a configuration confusion.  My understanding is that 
> /etc/ldap.conf provides configuration for libpam-ldap, 
> /etc/nss-ldapd.conf for libnss-ldapd, and /etc/ldap/ldap.conf is a set
> of global defaults for the ldap* utilities.  If this is correct, it 
> seems that switching from libnss-ldap to libnss-ldapd shouldn't affect
> options in /etc/ldap.conf, however it seems that my pam_groupdn option
> is now being ignored in /etc/ldap.conf.  Because our LDAP server
> stores entries for users who should not have shell access to our
> servers, we had been using that to limit shell logins.  Is there
> something I'm missing?

Unfortunately the location of configfiles is very distribution-specific.
In Debian it is the following:
  /etc/ldap/ldap.conf - OpenLDAP client library configuration file
  /etc/libnss-ldap.conf - libnss-ldap configuration file
  /etc/pam_ldap.conf - libpam-ldap configuration file
  /etc/nss-ldapd.conf - nss-ldapd configuration file before 0.7.0
  /etc/nslcd.conf - nss-pam-ldapd configuration file since 0.7.0

The default (upstream) OpenLDAP client library configuration file and
the ones that libnss-ldap and libpam-ldap use is /etc/ldap.conf (if I
recall correctly). The OpenLDAP tools (the ones in ldap-utils) use the
client library configuration file.

Note that both libnss-ldap and libpam-ldap also parse the OpenLDAP
client library configuration file but nss-pam-ldapd does not (since
version 0.6.8) to avoid confusion. Also, nss-pam-ldapd errors out in
case of configuration errors and libnss-ldap, libpam-ldap and the
OpenLDAP client libraries silently ignore errors.

This means that any configuration for libnss-ldapd and libpam-ldapd
should go in /etc/nslcd.conf (of /etc/nss-ldapd.conf if you're running
nss-ldapd before 0.7.0). The Debian packages of nss-pam-ldapd
automatically import some of the settings from /etc/libnss-ldap.conf, 
/etc/pam_ldap.conf and /etc/ldap/ldap.conf if they are present.

If you're not using libpam-ldapd but libpam-ldap you should also
configure /etc/ldap.conf (I think that's what Ubuntu uses).

Also note that libpam-ldapd does not support the pam_groupdn option.
Work is under way to implement a more general authorisation check

-- arthur - - --
To unsubscribe send an email to or see