Re: [nssldap] nss_ldap, tls_key, and nscd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_ldap, tls_key, and nscd
- From: Chris Adams <cmadams [at] hiwaay.net>
- To: Howard Chu <hyc [at] highlandsun.com>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] nss_ldap, tls_key, and nscd
- Date: Wed, 19 Aug 2009 15:46:18 -0500
Once upon a time, Howard Chu <hyc@highlandsun.com> said:
> Chris Adams wrote:
> >I'm trying to set up RHEL 5 with OpenLDAP, nss_ldap, and nscd. I
> >thought I'd try to secure the client<->server communications with TLS,
> >so I set up a TLS server cert and TLS client cert (both signed by my
> >CA).
> >
> >Most things seem to work. I can "getent passwd foo" to get the passwd
> >entry for user "foo" from LDAP just fine (as root or as a normal user).
> >However, "getent passwd" (or "getent group") only work as root. As a
> >normal user, they list the local entries and then hang. Also, bash
> >~user<TAB> hangs (e.g. at a bash prompt type "cd ~f<TAB>").
> >
> >I dug into this some, and it appears that nscd (at least on Linux with
> >glibc) doesn't handle getXXent calls, so they are handled directly in
> >the calling process (as if nscd was not running). Since I set up my TLS
> >key to be only readable by root and the nscd user, normal users can't
> >connect to the LDAP server.
> >
> >Is there any way around this?
>
> Not using nss_ldap. Use nss-ldapd or OpenLDAP's nssov instead.
Hmm. Well, my servers are RHEL 5 (and some still RHEL 4), so I need to
try to use nss_ldap if at all possible.
I guess lots of other people are using nss_ldap; how do you control
access to the LDAP server(s)? Just using IP-based filters (host
firewalls, router ACLs, etc.)?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.