Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)
- Date: Tue, 19 Apr 2011 21:44:07 +0200
On Tue, 2011-04-19 at 13:38 +0200, Martin Wegner wrote:
> We are using the libnss-ldap and libpam-ldap packages.
This is the mailing list for nss-pam-ldapd, a derivative of nss_ldap
(and probably small bits of pam_ldap). For more information on this
issue you can probably be better served at one of the PADL mailing
lists:
http://www.padl.com/Contents/OpenSourceSoftware.html
> As far as I understand it, pam first queries the LDAP server as root and
> after that queries are done with the uid of the user. The problem is
> that the user has no permission to read the tls_key.
PAM applications normally run as root so should be able to read the
private key. That being said, open is not suid root so all files are
read as a normal user. I don't think openvt uses PAM and your problems
are likely more in the NSS part. You should be able to do getent passwd
as any user.
Since you've reached a nss-pam-ldapd mailing list, you might as well
have a look at it. ;) It's security model is simpler and should fit
quite nicely for your kind of environment because all LDAP queries are
performed by a single process as a dedicated user. The packages in
Ubuntu lucid (libnss-ldapd, libpam-ldapd and nslcd) are quite outdated
(0.7.2) and contain some known issues that are fixed in later releases.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
