Here's the latest as to why I cannot ID my ldap user. I set up hostObject attribute in my ldap server to enable host based authentication. I then added the following in /etc/ldap.conf
On the client side, simply modify /etc/pam_ldap.conf to include these lines: pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*) I've added the host attribute to all my ldap users to login certain hosts. That's when I cannot id my ldap users. Somehow pam is not allowing caching when this host based authentication is turned on. On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu <[email protected]> wrote: > NSCD daemon is the culprit. Here's the error when I do id tony: > > [CODE] nscd -d > Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received > (Version = 2) from PID 14257 > Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW > Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd > Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received > (Version = 2) from PID 14257 > Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) > Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password > cache! > Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password > cache! > Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" > Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received > (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file: > > [CODE] > cat /etc/nscd.conf | grep -v ^# | grep -v ^$ > debug-level 0 > paranoia no > enable-cache passwd yes > positive-time-to-live passwd 600 > negative-time-to-live passwd 20 > suggested-size passwd 211 > check-files passwd yes > persistent passwd yes > shared passwd yes > max-db-size passwd 33554432 > auto-propagate passwd yes > enable-cache group yes > positive-time-to-live group 3600 > negative-time-to-live group 60 > suggested-size group 211 > check-files group yes > persistent group yes > shared group yes > max-db-size group 33554432 > auto-propagate group yes > enable-cache hosts no > positive-time-to-live hosts 3600 > negative-time-to-live hosts 20 > suggested-size hosts 211 > check-files hosts yes > persistent hosts yes > shared hosts yes > max-db-size hosts 33554432 > enable-cache services yes > positive-time-to-live services 28800 > negative-time-to-live services 20 > suggested-size services 211 > check-files services yes > persistent services yes > shared services yes > max-db-size services 33554432 > > [/CODE] > > > On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu <[email protected]>wrote: > >> On another machine, tried this howto after purging the above above >> packages. >> >> http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2<http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2> >> >> sudo apt-get install libnss-ldapd libpam-ldapd >> >> Still the same outcome. I can ldapsearch, getent, etc. but id cannot show >> the ldap users. >> >> here's my /etc/ldap.conf >> >> cat /etc/ldap.conf | grep -v ^# | grep -v ^$ >> base dc=example,dc=com >> uri ldap://10.112.18.2 >> ldap_version 3 >> bindpw secret >> rootbinddn cn=admin,dc=example,dc=com >> >> bind_policy soft >> >> pam_check_host_attr yes >> pam_password md5 >> nss_base_passwd ou=People,dc=example,dc=com >> nss_base_shadow ou=People,dc=example,dc=com?one >> nss_base_group ou=Groups,dc=example,dc=com?one >> >> >> >> >> On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu <[email protected]>wrote: >> >>> Ok here's what you suggested: >>> >>> r...@webtest111:/etc/pam.d# id tony >>>> >>>> id: tony: No such user >>>> >>> r...@webtest111:/etc/pam.d# getent passwd tony >>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony >>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash >>>> r...@webtest111:/etc/pam.d# /etc/init.d/nscd stop >>>> * Stopping Name Service Cache Daemon nscd >>>> [ OK ] >>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony >>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash >>>> r...@webtest111:/etc/pam.d# getent passwd tony >>>> r...@webtest111:/etc/pam.d# >>>> >>> >>> I'll start a reinstall of the other packages instead of libnss-ldap and >>> libpam-ldap. >>> >>> Thanks for the tips. >>> >>> Regards >>> >>> >>> On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne < >>> [email protected]> wrote: >>> >>>> On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote: >>>> > I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP >>>> server. >>>> > I've install the following: >>>> > >>>> > sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db >>>> > nscd ldap-utils pam_ccreds >>>> > >>>> > Here's my /etc/nsswitch.conf: >>>> > >>>> > passwd: files ldap [NOTFOUND=return] db >>>> > >>>> > > group: files ldap [NOTFOUND=return] db >>>> > > >>>> > > shadow: files ldap >>>> > > >>>> > > hosts: files dns >>>> > > networks: files >>>> > > >>>> > > protocols: db files >>>> > > services: db files >>>> > > ethers: db files >>>> > > rpc: db files >>>> > >>>> > I can nss_updatedb ldap succssfully: >>>> > # nss_updatedb ldap >>>> > passwd... done. >>>> > group... done. >>>> > >>>> > I can getent passwd, getent passwd shadow, getent group just fine and >>>> > they all show all my ldap users. >>>> >>>> Please compare these two: >>>> >>>> $ getent passwd |grep tony >>>> $ getent passwd tony >>>> >>>> If the first succeeds (returns a line looking like /etc/passwd), and the >>>> second fails (returns nothing), then you probably have a negative cache >>>> from >>>> nscd. Stop nscd, and test again. >>>> >>>> > However, I cannot do an id ldapuser >>>> > >>>> > ex: >>>> > $ id tony >>>> > id: tony: No such user >>>> >>>> [...] >>>> >>>> > ID works just fine with my local users on my local machine so somehow >>>> > it's not able to read the ldap users. >>>> > >>>> > Any insights appreciated. >>>> >>>> In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but >>>> one of >>>> the newer options (e.g. sssd) may be a better option. >>>> >>>> Regards, >>>> Buchan >>>> >>> >>> >> >
