[Date Prev][Date Next] [Chronological] [Thread] [Top]

OT: libnss-ldap && nss_base_passwd option

[I know, I was one of those that talked about moving all nss/pam
 questions of list, but the (nss|pam)-ldap@padl.com just don't
 want to subscribe me! I've tried a number of times now!]

I want to restrict access to my server(s) so that I can say 'this
user have access to this machine, but not this one'.

Using PAM, it's "simple" (?), it's just a matter of entering the
----- s n i p -----
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)
----- s n i p -----

While trying to add the same stuff to the libnss-ldap.conf file, I
discovered that it's theoreticly possible to use:
----- s n i p -----
nss_base_passwd dc=com?sub?objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)
----- s n i p -----

But it don't seem to work! Sudo/SSH won't let me in, 'id' works fine...
----- s n i p -----
[papadoc.pts/2]$ sudo ls
sudo: uid 1000 does not exist in the passwd file!
----- s n i p -----

Compiling libnss-ldap with debuging on, I get this:
----- s n i p -----
[papadoc.pts/2]$ sudo ls 2>&1 | grep do_filter:
nss_ldap: :== do_filter: (&(objectclass=posixAccount)(uidNumber=1000)(objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)))
----- s n i p -----

Using this search string with 'ldapsearch' (with the base/scope values
from the config file) will return my object...

The reason I must have libnss-ldap do this search, is that I'm
no longer using pam-ldap (my passwords have been moved to a kerberos
KDC) but instead pam-krb5...

 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden