Re: [nssldap] nss_ldap on SLES 10

[Ralf Haferkamp <rhafer [at] suse.de>]

On Monday 29 January 2007 20:43, Iain Morgan wrote:
> Hello,
>
> On SLES 9 (nscd 2.3.5, nss_ldap 215) it seems that it is sufficient to
> set rootbinddn in /etc/ldap.conf to get reasonable behaviour. However,
> on SLES 10 (nscd 2.4, nss_ldap 246) it appears to be necessary to set
> binddn/bindpw instead.
What do you mean by "reasonable behaviour". Please describe.

> With only rootbinddn set on SLES 10, commands such as 'getent shadow'
> work when run as root, but 'getent passwd' does not - regardless of
> whether it is run as root or not.
Does "id <username>" work?
You also might wanna check the LDAP Server logs. Probably you can see as what 
user (rootbinddn/binddn/anonymous) nss_ldap is trying to authenticate against 
the LDAP server.

> Whereas the same configuration under 
> SLES 9 works as you would expect for both 'getent shadow' and 'getent
> passwd'.
>
> I'm assuming the issue is that nscd 2.4 drops privileges for all queries
> except getsp*().
Did you configure to run as a separate user?q If not, I think it does not drop 
privileges anywhere. But I must admit that my nscd-knowledge is pretty 
limited.

Additionally note that neither "getent passwd" (without any user name 
supplied) nor "getent shadow" and the getsp*() calls make use of nscd.

> Has anyone else observed this and is there an 
> (secure) alternative to having to set both rootbinddn and binddn?

-- 
Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com