Re: [nssldap] nss_ldap, tls_key, and nscd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Howard Chu <hyc [at] highlandsun.com>
To: Chris Adams <cmadams [at] hiwaay.net>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] nss_ldap, tls_key, and nscd
Date: Wed, 19 Aug 2009 11:54:24 -0700

Chris Adams wrote:

I'm trying to set up RHEL 5 with OpenLDAP, nss_ldap, and nscd.  I
thought I'd try to secure the client<->server communications with TLS,
so I set up a TLS server cert and TLS client cert (both signed by my
CA).

Most things seem to work.  I can "getent passwd foo" to get the passwd
entry for user "foo" from LDAP just fine (as root or as a normal user).
However, "getent passwd" (or "getent group") only work as root.  As a
normal user, they list the local entries and then hang.  Also, bash
~user<TAB>  hangs (e.g. at a bash prompt type "cd ~f<TAB>").

I dug into this some, and it appears that nscd (at least on Linux with
glibc) doesn't handle getXXent calls, so they are handled directly in
the calling process (as if nscd was not running).  Since I set up my TLS
key to be only readable by root and the nscd user, normal users can't
connect to the LDAP server.

Is there any way around this?


Not using nss_ldap. Use nss-ldapd or OpenLDAP's nssov instead.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

[nssldap] nss_ldap, tls_key, and nscd, Chris Adams
- Re: [nssldap] nss_ldap, tls_key, and nscd, Howard Chu

Prev by Date: [nssldap] nss_ldap, tls_key, and nscd
Next by Date: Re: [nssldap] nss_ldap, tls_key, and nscd
Previous by thread: [nssldap] nss_ldap, tls_key, and nscd
Next by thread: Re: [nssldap] nss_ldap, tls_key, and nscd