[CentOS] nss_pam against centos-ds fails for non-root users

Wed Jul 21 06:03:26 UTC 2010
Gordon Messmer <yinyang at eburg.com>

On 07/20/2010 02:11 PM, Nicolai Stange wrote:
> The only entries in my /etc/ldap.conf are those:
> tls_cacertfile /etc/nss/ca.example.org-cert.pem
> tls_cert /etc/nss/nss-cert.pem
> tls_key /etc/nss/nss-key.pem

I don't think that can possibly be true.  If you don't have a uri 
specified, you won't get any results.  I just tested that on a system 
which is running a directory server.

Try this:
$ grep '^[^#]' /etc/ldap.conf

I get:

base dc=private,dc=dragonsdawn,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
uri ldap://directory.private.dragonsdawn.net/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

> The nss-{key,cert}.pem may be used to bind at the following DN:
> dn: cn=nss,ou=Special Users,dc=example,dc=org

I don't think that makes any difference unless you specify binddn in 

> Setting ownerships to world readable, e.g.
> doesn't change anything.

What about the permission on the directory /etc/nss?

All of those items must be readable by all users.  The only file which 
can be restricted is an optional file referenced by rootbinddn in 
/etc/ldap.conf which is typically used if you require specific 
credentials to change passwords.  If you use this file, non-root users 
still need valid credentials to bind and search the directory read-only.

You might be able to avoid giving users any access if you use sssd and 
nss_sss, but that's an unusual configuration.

The key to solving this problem is that all users of your system must 
have read access to all of the information that they require to bind and 
search in your directory server.