Re: Issue with resolving groups with nss_ldap

fr den 01.09.2006 Klokka 11:33 (+0200) skreiv Erik Logtenberg:

> I don't understand your reply exactly. The problem doesn't seem to be
> with pam_ldap, since the issue isn't related to 'authentication' but to
> 'resolving'.
> In other words, simply asking nss_ldap "id <user>" will not even cause
> pam_ldap to do anything, right? So I don't see how my
> /etc/pam.d/system-auth file can have anything to do with it, or for that
> matter any pam-related configuration file.
> 
> For the record, my /etc/pam.d/system-auth is in fact configured in the
> way that you suggest:
> 
> auth            required        pam_env.so
> auth            sufficient      pam_unix.so likeauth nullok
> auth            sufficient      pam_ldap.so use_first_pass
> auth            required        pam_deny.so
> 
> account         required        pam_unix.so
> account         sufficient      pam_localuser.so
> account         required        pam_ldap.so
> 
> password        required        pam_cracklib.so difok=2 minlen=8
> dcredit=2 ocredit=2 retry=3
> password        sufficient      pam_unix.so nullok md5 shadow use_authtok
> password        sufficient      pam_ldap.so use_authtok use_first_pass
> password        required        pam_deny.so
> 
> session         required        pam_limits.so
> session         required        pam_unix.so
> session         optional        pam_ldap.so
> 
> However, as said: I don't think this is related.

Ok, sorry, wrong line.

Add (all one line):account     [default=bad success=ok
user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

to system-auth.

> The problem is that nss_ldap tries to contact ldap for group
> information, even though the correct group information is in fact
> available in /etc/group. This is no real problem as long as the OpenLDAP
> server is running, but I have /etc/passwd, /etc/group and /etc/shadow
> setup as fallback for when OpenLDAP is not running.
> So a special case of a user and group that are in /etc/passwd|group is
> ofcourse the user that OpenLDAP should run as, because it's obvious that
> you can't ask a daemon for information that is needed to start that
> daemon in the first place, right? :)

Try it.

> Now I thought that configuring nss_ldap using a setting like this in
> /etc/nsswitch.conf would cause nss to first read the local files and
> only try to contact ldap when the local files don't contain the required
> information:
> 
> passwd:         files ldap
> shadow:         files ldap
> group:          files ldap
> 
> For passwd and shadow this seems to work, but somehow for group it
> always contacts ldap, even if the asked group is available in /etc/group.
> 
> By the way, the OS is Gentoo Linux (Base System version: 1.12.4, Linux:
> 2.6.16.18). I use nss_ldap 249 and pam_ldap 180. My LDAP server is
> OpenLDAP 2.3.24.

Ok, we run RHAS4 with OpenLDAP 2.3.27 (Buchan Milnes' basic rpm) and it
works.

Da groet,

--Tonni

-- 
Tony Earnshaw
reservebergenser