[nssldap] nss_ldap, tls_key, and nscd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Chris Adams <cmadams [at] hiwaay.net>
To: nssldap [at] padl.com
Subject: [nssldap] nss_ldap, tls_key, and nscd
Date: Wed, 19 Aug 2009 12:50:39 -0500

I'm trying to set up RHEL 5 with OpenLDAP, nss_ldap, and nscd.  I
thought I'd try to secure the client<->server communications with TLS,
so I set up a TLS server cert and TLS client cert (both signed by my
CA).

Most things seem to work.  I can "getent passwd foo" to get the passwd
entry for user "foo" from LDAP just fine (as root or as a normal user).
However, "getent passwd" (or "getent group") only work as root.  As a
normal user, they list the local entries and then hang.  Also, bash
~user<TAB> hangs (e.g. at a bash prompt type "cd ~f<TAB>").

I dug into this some, and it appears that nscd (at least on Linux with
glibc) doesn't handle getXXent calls, so they are handled directly in
the calling process (as if nscd was not running).  Since I set up my TLS
key to be only readable by root and the nscd user, normal users can't
connect to the LDAP server.

Is there any way around this?
-- 
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

[nssldap] nss_ldap, tls_key, and nscd, Chris Adams

Re: [nssldap] nss_ldap, tls_key, and nscd, Howard Chu
- Re: [nssldap] nss_ldap, tls_key, and nscd, Chris Adams
  - Re: [nssldap] nss_ldap, tls_key, and nscd, Howard Chu
    - Re: [nssldap] nss_ldap, tls_key, and nscd, Chris Adams

Prev by Date: [nssldap] Difference between NSS-LDAP and PAM_LDAP
Next by Date: Re: [nssldap] nss_ldap, tls_key, and nscd
Previous by thread: [nssldap] Difference between NSS-LDAP and PAM_LDAP
Next by thread: Re: [nssldap] nss_ldap, tls_key, and nscd