[CentOS] nss_pam against centos-ds fails for non-root users
Gordon Messmer
yinyang at eburg.com
Wed Jul 21 06:03:26 UTC 2010
On 07/20/2010 02:11 PM, Nicolai Stange wrote:
>
> The only entries in my /etc/ldap.conf are those:
> tls_cacertfile /etc/nss/ca.example.org-cert.pem
> tls_cert /etc/nss/nss-cert.pem
> tls_key /etc/nss/nss-key.pem
I don't think that can possibly be true. If you don't have a uri
specified, you won't get any results. I just tested that on a system
which is running a directory server.
Try this:
$ grep '^[^#]' /etc/ldap.conf
I get:
base dc=private,dc=dragonsdawn,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pulse
uri ldap://directory.private.dragonsdawn.net/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
> The nss-{key,cert}.pem may be used to bind at the following DN:
> dn: cn=nss,ou=Special Users,dc=example,dc=org
I don't think that makes any difference unless you specify binddn in
/etc/ldap.conf
> Setting ownerships to world readable, e.g.
...
> doesn't change anything.
What about the permission on the directory /etc/nss?
All of those items must be readable by all users. The only file which
can be restricted is an optional file referenced by rootbinddn in
/etc/ldap.conf which is typically used if you require specific
credentials to change passwords. If you use this file, non-root users
still need valid credentials to bind and search the directory read-only.
You might be able to avoid giving users any access if you use sssd and
nss_sss, but that's an unusual configuration.
The key to solving this problem is that all users of your system must
have read access to all of the information that they require to bind and
search in your directory server.
More information about the CentOS
mailing list