Re: --disable-nslcd, nssov, and local user lookups
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: --disable-nslcd, nssov, and local user lookups
- From: Ryan Steele <ryans [at] aweber.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: --disable-nslcd, nssov, and local user lookups
- Date: Fri, 29 Jun 2012 13:31:35 -0400
I was able to at least hide this from the user by setting 'no_warn' for all
pam_ldap tiers of the PAM stack. Guess I can just have rsyslog filter out the
failures or something as a temporary solution, but it still feels like I'm
sweeping dirt under the rug.
Ryan Steele wrote:
> Arthur,
>
> I don't think simply preventing nslcd from running is going to work for me.
> Every time I would open a session with sudo/su, I got these messages to
> stdout:
>
> root@myhost:~# su - myuser
> LDAP open session failed
> myser@myhost:~$ logout
> LDAP clode session failed
> myuser@mongo:~$ sudo su -
> LDAP Password:
> LDAP open session failed
> LDAP clode session failed
> LDAP open session failed
>
> The sudo/su will work, but obviously that behavior is not desirable and is
> confusing for users. When I inspected auth.log, I found messages like this:
>
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:account): ; user=myuser
> Jun 29 15:49:56 myhost su[26551]: Successful su for myuser by root
> Jun 29 15:49:56 myhost su[26551]: + /dev/pts/0 root:myuser
> Jun 29 15:49:56 myhost su[26551]: pam_unix(su:session): session opened for
> user myuser by root(uid=0)
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): error reading from
> nslcd: No such file or directory
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): Authentication
> service cannot retrieve authentication info; user=myuser
> Jun 29 15:49:58 myhost su[26551]: pam_unix(su:session): session closed for
> user myuser
> Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): error reading from
> nslcd: Connection reset by peer
> Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): Authentication
> service cannot retrieve authentication info; user=myuser
>
>
> I'm thinking of attempting a build that doesn't include nslcd (perhaps that's
> why slapo-nssov mentions it?), unless you know of another way to prevent
> pam_ldap from throwing errors like this (presumably because nslcd isn't
> running, although the /var/run/nslcd/socket file created by nssov does exist).
>
> Cheers,
> Ryan
>
> Arthur de Jong wrote:
>> On Wed, 2012-06-13 at 07:20 -0400, Ryan Steele wrote:
>>>> Btw, out of curiosity, why are you building custom Debian packages?
>>> The nssov docs
>>> (http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/nssov/README?rev=1.10&hideattic=1&sortbydate=0)
>>> make a reference to building nss-pam-ldapd without nslcd since it's not
>>> needed. I didn't want to run the risk of using the packages that leave it
>>> in and then not use it, potentially introducing some sort of dependency on
>>> a running nslcd that would never be satisfied.
>> You could just install the libnss-ldapd and libpam-ldapd packages and
>> either not install nslcd (perhaps use equivs to handle the dependencies)
>> or install it but disable it by putting "exit 0" in /etc/default/nslcd.
>> That way you will still get automatic updates of the packages.
>>
>> The --disable-nslcd option doesn't change anything in the NSS and PAM
>> modules. It only causes the nslcd binary not to be built (you don't need
>> development headers of OpenLDAP, etc. installed to compile it).
>>
>>> I did have one other question: since I won't be using nslcd, are the
>>> libnss-ldapd options that would have been set in /etc/nslcd.conf now
>>> configured via the nssov overlay instead of /etc/nslcd.conf, provided
>>> the options are available (I know that some are not, e.g. the
>>> nss_initgroups_ignoreusers option)?
>> I don't have much first-hand experience with nssov but nslcd.conf only
>> affects how nslcd works so anything you configured there before should
>> be configured in nssov. The NSS modules doesn't have any configuration
>> and the PAM module is only configured through the command line (see the
>> pam_ldap(8) manual page for details).
>>
>> I think that if you using caching or replication together with nssov you
>> shouldn't need nss_initgroups_ignoreusers because the slowdown during
>> boot you could have with nss_ldap don't happen if nslcd or nssov aren't
>> running. If nslcd is only started after networking or nssov always has
>> cached data available it should also be pretty fast.
>>
>>
--
Ryan Steele ryans@aweber.com
Systems Administrator +1 215-825-2196 x758
AWeber Communications http://www.aweber.com
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: --disable-nslcd, nssov, and local user lookups, (continued)
- Re: --disable-nslcd, nssov, and local user lookups,
Ryan Steele
- Re: --disable-nslcd, nssov, and local user lookups,
Arthur de Jong
- Re: --disable-nslcd, nssov, and local user lookups,
Ryan Steele
- Re: --disable-nslcd, nssov, and local user lookups,
Ryan Steele
- Re: --disable-nslcd, nssov, and local user lookups,
Ryan Steele
- Re: --disable-nslcd, nssov, and local user lookups,
Arthur de Jong
