Re: Re: problems with nslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Patrick Hornecker <phornecker [at] googlemail.com>
To: Arthur de Jong <arthur [at] arthurdejong.org>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Re: problems with nslcd
Date: Sat, 29 Jan 2011 16:07:41 -0800

Hi Arthur,

thanks for your reply.

2011/1/29 Arthur de Jong <arthur [at] arthurdejong.org>

On Tue, 2011-01-25 at 16:44 -0800, Patrick Hornecker wrote:
> To expire accounts we're using the ldap "shadowExpire" value.

This information should be exposed through the shadow facility (getent
shadow as root should show LDAP users) and should be enforced by
pam_unix.

I don't know how the PAM stack on Ubuntu works but on Debian you need to
configure the NSS part differently when you are using pam_ldap (no
shadow: ldap) or pam-ldapd (need shadow: ldap).

If you mean the configuration of the /etc/nsswitch.conf: We have the value for shadow included.

/etc/nsswitch.conf:

passwd: files ldap

group: files ldap

shadow: files ldap

> We're using one central OpenLDAP server, to which the clients are
> connecting on login. The clients are running either Ubuntu 8.04 or
> 10.04. Installed packages on the clients are autofs-ldap, ldap-utils,
> libnss-ldap, nfs-common, nss-updatedb and nscd. All packages have been
> installed from the ubuntu package repositories.

If you are using libnss-ldap and are using libpam-ldapd I recommend
switching to libnss-ldapd.

> Due to some problems with switching to the superuser (simply using the
> 'su'-command, typing the password and then becoming root wasn't
> working on some computers anymore) I found a fix which said I should
> also install the nslcd package from the ubuntu repository, which fixed
> the su issue.

You should be using libnss-ldapd and libpam-ldapd if you are running
into problems with su.

Due to the su issue I installed the nslcd package, which includes libnss-ldapd and libpam-ldapd. That fixed the problems with su, but not the problems with the expired accounts.

> Since then the problem with the expired accounts occured.

Can you include the relevant information on your PAM stack
(probably /etc/pam.d/common-account)?

I'll post you all pam config files which we have altered.

common-account:

account sufficient pam_ldap.so

account required pam_unix.so

common-auth:

auth sufficient pam_ldap.so

auth required pam_unix.so nullok_secure use_first_pass

common-password:

password sufficient pam_ldap.so

password required pam_unix.so nullok obscure min=4 max=8 md5

common-session:

session required pam_unix.so

session optional pam_ldap.so

Thanks for the reply in advance.

Regards

Patrick

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

problems with nslcd, Patrick Hornecker
- Re: problems with nslcd, Ryan Steele
- <Possible follow-ups>
- Re: Re: problems with nslcd, Patrick Hornecker
  - Re: Re: problems with nslcd, Arthur de Jong
    - Re: Re: problems with nslcd, Patrick Hornecker

Prev by Date: Re: Re: problems with nslcd
Next by Date: Version number of pam_ldap/nss_ldap in nss_pam_ldapd 0.7.13
Previous by thread: Re: Re: problems with nslcd
Next by thread: Re: Re: problems with nslcd