12:24 p.m.
Hi,
Please, bear with me! I know that this is not an openldap question per se, but
I've been banging my head on the wall for a long time on this issue and maybe
someone knows the quick answer: with user authentication coming from LDAP, what
is the magic that has to inserted with the PAM stuff on a client to allow users
to change their login shells using 'chsh'? I've been googling this for hours
to
no avail. I nice hint would just suffice.
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I managed to make the 'passwd' command to work using the libnss-ldap
configuration 'pam_password exop' directive but I'm clueless with chsh...
Right now I'm getting messages
chsh: user 'luser' does not exist in /etc/passwd
and the system auth logs tells me:
chsh[4638]: pam_unix(chsh:auth): authentication failure; logname=luser uid=1137 euid=0
tty= ruser= rhost= user=luser
/etc/pam.d/chsh originally contained, once the @include included:
auth required pam_shells.so
auth sufficient pam_rootok.so
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
I tried to trim it down -- removing the account and session entries but to no
avail so far...
thanks,
jf
10:15 a.m.
Jean-Francois Malouin wrote:
Hi,
Please, bear with me! I know that this is not an openldap question per se, but
I've been banging my head on the wall for a long time on this issue and maybe
someone knows the quick answer: with user authentication coming from LDAP, what
is the magic that has to inserted with the PAM stuff on a client to allow users
to change their login shells using 'chsh'? I've been googling this for hours
to
no avail. I nice hint would just suffice.
The PAM API has no support for changing anything besides the password. The NSS API
has no support for changing anything at all, it is purely read-only. Any solution
for what you want to do is going to be non-standard, site- and implementation-specific.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10:23 a.m.
* Howard Chu <hyc(a)symas.com> [20181215 13:16]:
Jean-Francois Malouin wrote:
> Hi,
>
> Please, bear with me! I know that this is not an openldap question per se, but
> I've been banging my head on the wall for a long time on this issue and maybe
> someone knows the quick answer: with user authentication coming from LDAP, what
> is the magic that has to inserted with the PAM stuff on a client to allow users
> to change their login shells using 'chsh'? I've been googling this for
hours to
> no avail. I nice hint would just suffice.
The PAM API has no support for changing anything besides the password. The NSS API
has no support for changing anything at all, it is purely read-only. Any solution
for what you want to do is going to be non-standard, site- and implementation-specific.
Thank you for the pointers.
Well then, I'll stop banging my head on the wall!
Regards,
jf
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6:18 p.m.
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian
clients.
I have not tried this myself, but recent versions of nss-pam-ldapd
appear to include a 'chsh.ldap' command in the nslcd-utils package.
However it looks like that would require you to be using libnss-ldapd
and libpam-ldapd with nslcd, rather than the old libnss-ldap and
libpam-ldap.
5:56 a.m.
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin
wrote:
> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a
'chsh.ldap' command in the nslcd-utils package. However it looks like
that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than
the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6:40 a.m.
On 12/16/18 3:18 AM, Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin
wrote:
> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd
appear to include a 'chsh.ldap' command in the nslcd-utils package.
However it looks like that would require you to be using libnss-ldapd
and libpam-ldapd with nslcd, rather than the old libnss-ldap and
libpam-ldap.
Looking at its man page [1] it requires that nslcd has *write* access to
the user's entry, at least attribute 'loginShell'. IMO this is a
security-fail-by-design because any system rooted can change every user
entry. I would fire an admin who sets up an infrastructure like this.
Instead one should provide a decent self-service web interface and use
the correct OpenLDAP "by self write" ACLs instead.
Ciao, Michael.
[1] https://arthurdejong.org/nss-pam-ldapd/chsh.ldap.1
10:14 a.m.
* Howard Chu <hyc(a)symas.com> [20181216 08:57]:
Ryan Tandy wrote:
> On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
>> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
>
> I have not tried this myself, but recent versions of nss-pam-ldapd appear to include
a 'chsh.ldap' command in the nslcd-utils package. However it looks like
> that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather
than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with
nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related
issue I guess.
Also, it seems that all the info I find out there about how to configure those
are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature
but more complex...".
Regards,
jf
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:04 a.m.
Jean-Francois Malouin wrote:
* Howard Chu <hyc(a)symas.com> [20181216 08:57]:
> Ryan Tandy wrote:
>> On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
>>> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
>>
>> I have not tried this myself, but recent versions of nss-pam-ldapd appear to
include a 'chsh.ldap' command in the nslcd-utils package. However it looks like
>> that would require you to be using libnss-ldapd and libpam-ldapd with nslcd,
rather than the old libnss-ldap and libpam-ldap.
>
> Would be best to be running those anyway, since the old stuff was deprecated long
ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with
nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related
issue I guess.
Also, it seems that all the info I find out there about how to configure those
are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature
but more complex...".
The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years ago.
Support
for those packages was redirected from the authors at PADL.com to Symas.com back in 2007
or so,
and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since 2010.
nss-ldap is not mature, it is dead.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:16 a.m.
Howard Chu wrote:
Jean-Francois Malouin wrote:
> * Howard Chu <hyc(a)symas.com> [20181216 08:57]:
>> Ryan Tandy wrote:
>>> On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
>>>> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian
clients.
>>>
>>> I have not tried this myself, but recent versions of nss-pam-ldapd appear to
include a 'chsh.ldap' command in the nslcd-utils package. However it looks like
>>> that would require you to be using libnss-ldapd and libpam-ldapd with nslcd,
rather than the old libnss-ldap and libpam-ldap.
>>
>> Would be best to be running those anyway, since the old stuff was deprecated long
ago.
>
> Well, I hard-locked all the systems I tried to install libnss-ldapd along with
> nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related
> issue I guess.
> Also, it seems that all the info I find out there about how to configure those
> are either obsolete, very old and in some cases, 'not even wrong' :)
>
> As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
>
> "In general libnss-ldapd is simpler but newer and libnss-ldap is more mature
> but more complex...".
The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years ago.
Support
for those packages was redirected from the authors at PADL.com to Symas.com back in 2007
or so,
At least by April 2007
http://scratchpad.wikia.com/wiki/Ldap?diff=2174401&oldid=129692
and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since
2010.
nss-ldap is not mature, it is dead.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:17 p.m.
On 12/16/18 7:14 PM, Jean-Francois Malouin wrote:
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS
claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature
but more complex...".
You should not believe everything written on the Internet.
Ciao, Michael.
7:40 p.m.
On Saturday, December 15, 2018 06:18:49 PM Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin
wrote:
>I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd
appear to include a 'chsh.ldap' command in the nslcd-utils package.
However it looks like that would require you to be using libnss-ldapd
and libpam-ldapd with nslcd, rather than the old libnss-ldap and
libpam-ldap.
It is probably not a good idea to do chsh in a LDAP controlled site in the first
place. What if the user chsh into
something not installed on every host, then realize she cannot login anymore?
local chsh at least is protected by the local /etc/shells. It is probably simpler and
safer
to have a line of "exec zsh --login" in their .profile file
--
Derek Zhou
7:37 a.m.
* Howard Chu <hyc(a)symas.com> [20181216 14:18]:
Howard Chu wrote:
> Jean-Francois Malouin wrote:
>> * Howard Chu <hyc(a)symas.com> [20181216 08:57]:
>>> Ryan Tandy wrote:
>>>> On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
>>>>> I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian
clients.
>>>>
>>>> I have not tried this myself, but recent versions of nss-pam-ldapd
appear to include a 'chsh.ldap' command in the nslcd-utils package. However it
looks like
>>>> that would require you to be using libnss-ldapd and libpam-ldapd with
nslcd, rather than the old libnss-ldap and libpam-ldap.
>>>
>>> Would be best to be running those anyway, since the old stuff was deprecated
long ago.
>>
>> Well, I hard-locked all the systems I tried to install libnss-ldapd along with
>> nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related
>> issue I guess.
>> Also, it seems that all the info I find out there about how to configure those
>> are either obsolete, very old and in some cases, 'not even wrong' :)
>>
>> As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims
that:
>>
>> "In general libnss-ldapd is simpler but newer and libnss-ldap is more
mature
>> but more complex...".
>
> The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years
ago. Support
> for those packages was redirected from the authors at PADL.com to Symas.com back in
2007 or so,
At least by April 2007
http://scratchpad.wikia.com/wiki/Ldap?diff=2174401&oldid=129692
> and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since 2010.
>
> nss-ldap is not mature, it is dead.
:)
Thanks all for the very interesting remarks and feedback.
jf
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
1625
days inactive
1628
days old
openldap-technical@openldap.org
11 comments
5 participants
participants (5)
-
Derek Zhou -
Howard Chu -
Jean-Francois Malouin -
Michael Ströder -
Ryan Tandy