RSS feed

Re: Re: problems with nslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Re: problems with nslcd

On Tue, 2011-01-25 at 16:44 -0800, Patrick Hornecker wrote:
> To expire accounts we're using the ldap "shadowExpire" value.

This information should be exposed through the shadow facility (getent
shadow as root should show LDAP users) and should be enforced by

I don't know how the PAM stack on Ubuntu works but on Debian you need to
configure the NSS part differently when you are using pam_ldap (no
shadow: ldap) or pam-ldapd (need shadow: ldap).

> We're using one central OpenLDAP server, to which the clients are
> connecting on login. The clients are running either Ubuntu 8.04 or
> 10.04. Installed packages on the clients are autofs-ldap, ldap-utils,
> libnss-ldap, nfs-common, nss-updatedb and nscd. All packages have been
> installed from the ubuntu package repositories.

If you are using libnss-ldap and are using libpam-ldapd I recommend
switching to libnss-ldapd.

> Due to some problems with switching to the superuser (simply using the
> 'su'-command, typing the password and then becoming root wasn't
> working on some computers anymore) I found a fix which said I should
> also install the nslcd package from the ubuntu repository, which fixed
> the su issue.

You should be using libnss-ldapd and libpam-ldapd if you are running
into problems with su.

> Since then the problem with the expired accounts occured. 

Can you include the relevant information on your PAM stack
(probably /etc/pam.d/common-account)?

-- arthur - - --
To unsubscribe send an email to or see