Re: LDAP, part 2

[Jeff Licquia <jeff@luci.org>]

On Mon, May 29, 2000 at 11:39:19PM -0500, John Corey wrote:
> 
> Jeff Licquia wrote:
> > 
> > First off, remember that you have to configure glibc's nsswitch
> > stuff.  Install the libnss-ldap module, and configure
> > /etc/nsswitch.conf to use it.  (On Debian: "apt-get install
> > libnss-ldap", then edit /etc/nsswitch.conf and /etc/libnss-ldap.conf
> > to taste.)
> 
> Yup, I've got that.  It was the last piece I needed to get the password
> authentication working.

In that case, the last thing you may need to do is delete your account
from /etc/passwd and /etc/shadow.

It depends on how nsswitch is set up.  If the order goes like this:

passwd:   files ldap

then /etc/passwd is considered authoritative.  Reverse "files" and
"ldap" and the LDAP database becomes authoritative.

Passwords work because PAM is set up exactly opposite nsswitch.  Most
of the time, you put pam_ldap before pam_unix.  But when session info
is set up, part of the session info is pulled from PAM and part of the
session info is pulled from nsswitch.  This isn't a problem unless you
have accounts defined in both places with the same username but
different info.

The thing you want to avoid is setting up a "root" account in LDAP.
That could have security implications, as the root password could get
pulled from the wrong place.  If this concerns you, make sure you set
both nsswitch and PAM so the local files ("files" and pam_unix,
respectively) are authoritative.

> With this the passwords are working A-OK.  They're using the md5 style
> crypt, and I can log on fine with the password on my ldap server.  The
> trouble I've run into is the periphrial settings, home dir, shell, etc.
> seem to be ignored from the ldap server and pulled from the
> old-fashioned /etc/passwd.  You'd think if it got the password from
> there, it'd come up with the other things. :)

It sounds like I need to try this. :-)

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.