Re: [nssldap] nss_ldap on SLES 10
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_ldap on SLES 10
- From: Ralf Haferkamp <rhafer [at] suse.de>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] nss_ldap on SLES 10
- Date: Tue, 30 Jan 2007 09:45:39 +0100
On Monday 29 January 2007 20:43, Iain Morgan wrote:
> Hello,
>
> On SLES 9 (nscd 2.3.5, nss_ldap 215) it seems that it is sufficient to
> set rootbinddn in /etc/ldap.conf to get reasonable behaviour. However,
> on SLES 10 (nscd 2.4, nss_ldap 246) it appears to be necessary to set
> binddn/bindpw instead.
What do you mean by "reasonable behaviour". Please describe.
> With only rootbinddn set on SLES 10, commands such as 'getent shadow'
> work when run as root, but 'getent passwd' does not - regardless of
> whether it is run as root or not.
Does "id <username>" work?
You also might wanna check the LDAP Server logs. Probably you can see as what
user (rootbinddn/binddn/anonymous) nss_ldap is trying to authenticate against
the LDAP server.
> Whereas the same configuration under
> SLES 9 works as you would expect for both 'getent shadow' and 'getent
> passwd'.
>
> I'm assuming the issue is that nscd 2.4 drops privileges for all queries
> except getsp*().
Did you configure to run as a separate user?q If not, I think it does not drop
privileges anywhere. But I must admit that my nscd-knowledge is pretty
limited.
Additionally note that neither "getent passwd" (without any user name
supplied) nor "getent shadow" and the getsp*() calls make use of nscd.
> Has anyone else observed this and is there an
> (secure) alternative to having to set both rootbinddn and binddn?
--
Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com