Re: Re: problems with nslcd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Re: problems with nslcd
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Patrick Hornecker <phornecker [at] googlemail.com>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Re: problems with nslcd
- Date: Sat, 29 Jan 2011 18:34:35 +0100
On Tue, 2011-01-25 at 16:44 -0800, Patrick Hornecker wrote:
> To expire accounts we're using the ldap "shadowExpire" value.
This information should be exposed through the shadow facility (getent
shadow as root should show LDAP users) and should be enforced by
pam_unix.
I don't know how the PAM stack on Ubuntu works but on Debian you need to
configure the NSS part differently when you are using pam_ldap (no
shadow: ldap) or pam-ldapd (need shadow: ldap).
> We're using one central OpenLDAP server, to which the clients are
> connecting on login. The clients are running either Ubuntu 8.04 or
> 10.04. Installed packages on the clients are autofs-ldap, ldap-utils,
> libnss-ldap, nfs-common, nss-updatedb and nscd. All packages have been
> installed from the ubuntu package repositories.
If you are using libnss-ldap and are using libpam-ldapd I recommend
switching to libnss-ldapd.
> Due to some problems with switching to the superuser (simply using the
> 'su'-command, typing the password and then becoming root wasn't
> working on some computers anymore) I found a fix which said I should
> also install the nslcd package from the ubuntu repository, which fixed
> the su issue.
You should be using libnss-ldapd and libpam-ldapd if you are running
into problems with su.
> Since then the problem with the expired accounts occured.
Can you include the relevant information on your PAM stack
(probably /etc/pam.d/common-account)?
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
