lists.arthurdejong.org
RSS feed

Re: --disable-nslcd, nssov, and local user lookups

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: --disable-nslcd, nssov, and local user lookups



I was able to at least hide this from the user by setting 'no_warn' for all 
pam_ldap tiers of the PAM stack.  Guess I can just have rsyslog filter out the 
failures or something as a temporary solution, but it still feels like I'm 
sweeping dirt under the rug.

Ryan Steele wrote:
> Arthur,
> 
> I don't think simply preventing nslcd from running is going to work for me.  
> Every time I would open a session with sudo/su, I got these messages to 
> stdout:
> 
> root@myhost:~# su - myuser
> LDAP open session failed
> myser@myhost:~$ logout
> LDAP clode session failed
> myuser@mongo:~$ sudo su -
> LDAP Password: 
> LDAP open session failed
> LDAP clode session failed
> LDAP open session failed
> 
> The sudo/su will work, but obviously that behavior is not desirable and is 
> confusing for users.  When I inspected auth.log, I found messages like this:
> 
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:account): ; user=myuser
> Jun 29 15:49:56 myhost su[26551]: Successful su for myuser by root
> Jun 29 15:49:56 myhost su[26551]: + /dev/pts/0 root:myuser
> Jun 29 15:49:56 myhost su[26551]: pam_unix(su:session): session opened for 
> user myuser by root(uid=0)
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): error reading from 
> nslcd: No such file or directory
> Jun 29 15:49:56 myhost su[26551]: pam_ldap(su:session): Authentication 
> service cannot retrieve authentication info; user=myuser
> Jun 29 15:49:58 myhost su[26551]: pam_unix(su:session): session closed for 
> user myuser
> Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): error reading from 
> nslcd: Connection reset by peer
> Jun 29 15:49:58 myhost su[26551]: pam_ldap(su:session): Authentication 
> service cannot retrieve authentication info; user=myuser
> 
> 
> I'm thinking of attempting a build that doesn't include nslcd (perhaps that's 
> why slapo-nssov mentions it?), unless you know of another way to prevent 
> pam_ldap from throwing errors like this (presumably because nslcd isn't 
> running, although the /var/run/nslcd/socket file created by nssov does exist).
> 
> Cheers,
> Ryan
> 
> Arthur de Jong wrote:
>> On Wed, 2012-06-13 at 07:20 -0400, Ryan Steele wrote:
>>>> Btw, out of curiosity, why are you building custom Debian packages?
>>> The nssov docs
>>> (http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/nssov/README?rev=1.10&hideattic=1&sortbydate=0)
>>>  make a reference to building nss-pam-ldapd without nslcd since it's not 
>>> needed.  I didn't want to run the risk of using the packages that leave it 
>>> in and then not use it, potentially introducing some sort of dependency on 
>>> a running nslcd that would never be satisfied.
>> You could just install the libnss-ldapd and libpam-ldapd packages and
>> either not install nslcd (perhaps use equivs to handle the dependencies)
>> or install it but disable it by putting "exit 0" in /etc/default/nslcd.
>> That way you will still get automatic updates of the packages. 
>>
>> The --disable-nslcd option doesn't change anything in the NSS and PAM
>> modules. It only causes the nslcd binary not to be built (you don't need
>> development headers of OpenLDAP, etc. installed to compile it).
>>
>>> I did have one other question: since I won't be using nslcd, are the
>>> libnss-ldapd options that would have been set in /etc/nslcd.conf now
>>> configured via the nssov overlay instead of /etc/nslcd.conf, provided
>>> the options are available (I know that some are not, e.g. the
>>> nss_initgroups_ignoreusers option)?
>> I don't have much first-hand experience with nssov but nslcd.conf only
>> affects how nslcd works so anything you configured there before should
>> be configured in nssov. The NSS modules doesn't have any configuration
>> and the PAM module is only configured through the command line (see the
>> pam_ldap(8) manual page for details).
>>
>> I think that if you using caching or replication together with nssov you
>> shouldn't need nss_initgroups_ignoreusers because the slowdown during
>> boot you could have with nss_ldap don't happen if nslcd or nssov aren't
>> running. If nslcd is only started after networking or nssov always has
>> cached data available it should also be pretty fast.
>>
>>

-- 
Ryan Steele                                    ryans@aweber.com
Systems Administrator                          +1 215-825-2196 x758
AWeber Communications                          http://www.aweber.com
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/