Hi,
Please, bear with me! I know that this is not an openldap question per se, but I've been banging my head on the wall for a long time on this issue and maybe someone knows the quick answer: with user authentication coming from LDAP, what is the magic that has to inserted with the PAM stuff on a client to allow users to change their login shells using 'chsh'? I've been googling this for hours to no avail. I nice hint would just suffice.
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I managed to make the 'passwd' command to work using the libnss-ldap configuration 'pam_password exop' directive but I'm clueless with chsh...
Right now I'm getting messages
chsh: user 'luser' does not exist in /etc/passwd
and the system auth logs tells me:
chsh[4638]: pam_unix(chsh:auth): authentication failure; logname=luser uid=1137 euid=0 tty= ruser= rhost= user=luser
/etc/pam.d/chsh originally contained, once the @include included:
auth required pam_shells.so auth sufficient pam_rootok.so auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so
I tried to trim it down -- removing the account and session entries but to no avail so far...
thanks, jf
Jean-Francois Malouin wrote:
Hi,
Please, bear with me! I know that this is not an openldap question per se, but I've been banging my head on the wall for a long time on this issue and maybe someone knows the quick answer: with user authentication coming from LDAP, what is the magic that has to inserted with the PAM stuff on a client to allow users to change their login shells using 'chsh'? I've been googling this for hours to no avail. I nice hint would just suffice.
The PAM API has no support for changing anything besides the password. The NSS API has no support for changing anything at all, it is purely read-only. Any solution for what you want to do is going to be non-standard, site- and implementation-specific.
* Howard Chu hyc@symas.com [20181215 13:16]:
Jean-Francois Malouin wrote:
Hi,
Please, bear with me! I know that this is not an openldap question per se, but I've been banging my head on the wall for a long time on this issue and maybe someone knows the quick answer: with user authentication coming from LDAP, what is the magic that has to inserted with the PAM stuff on a client to allow users to change their login shells using 'chsh'? I've been googling this for hours to no avail. I nice hint would just suffice.
The PAM API has no support for changing anything besides the password. The NSS API has no support for changing anything at all, it is purely read-only. Any solution for what you want to do is going to be non-standard, site- and implementation-specific.
Thank you for the pointers. Well then, I'll stop banging my head on the wall!
Regards, jf
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
On 12/16/18 3:18 AM, Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Looking at its man page [1] it requires that nslcd has *write* access to the user's entry, at least attribute 'loginShell'. IMO this is a security-fail-by-design because any system rooted can change every user entry. I would fire an admin who sets up an infrastructure like this.
Instead one should provide a decent self-service web interface and use the correct OpenLDAP "by self write" ACLs instead.
Ciao, Michael.
* Howard Chu hyc@symas.com [20181216 08:57]:
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related issue I guess. Also, it seems that all the info I find out there about how to configure those are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex...".
Regards, jf
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Jean-Francois Malouin wrote:
- Howard Chu hyc@symas.com [20181216 08:57]:
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related issue I guess. Also, it seems that all the info I find out there about how to configure those are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex...".
The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years ago. Support for those packages was redirected from the authors at PADL.com to Symas.com back in 2007 or so, and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since 2010.
nss-ldap is not mature, it is dead.
Howard Chu wrote:
Jean-Francois Malouin wrote:
- Howard Chu hyc@symas.com [20181216 08:57]:
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related issue I guess. Also, it seems that all the info I find out there about how to configure those are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex...".
The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years ago. Support for those packages was redirected from the authors at PADL.com to Symas.com back in 2007 or so,
At least by April 2007 http://scratchpad.wikia.com/wiki/Ldap?diff=2174401&oldid=129692
and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since 2010.
nss-ldap is not mature, it is dead.
On 12/16/18 7:14 PM, Jean-Francois Malouin wrote:
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex...".
You should not believe everything written on the Internet.
Ciao, Michael.
On Saturday, December 15, 2018 06:18:49 PM Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
It is probably not a good idea to do chsh in a LDAP controlled site in the first place. What if the user chsh into something not installed on every host, then realize she cannot login anymore?
local chsh at least is protected by the local /etc/shells. It is probably simpler and safer to have a line of "exec zsh --login" in their .profile file
* Howard Chu hyc@symas.com [20181216 14:18]:
Howard Chu wrote:
Jean-Francois Malouin wrote:
- Howard Chu hyc@symas.com [20181216 08:57]:
Ryan Tandy wrote:
On Fri, Dec 14, 2018 at 03:24:17PM -0500, Jean-Francois Malouin wrote:
I'm using libnss-ldap along with pam-ldap on Ubuntu and Debian clients.
I have not tried this myself, but recent versions of nss-pam-ldapd appear to include a 'chsh.ldap' command in the nslcd-utils package. However it looks like that would require you to be using libnss-ldapd and libpam-ldapd with nslcd, rather than the old libnss-ldap and libpam-ldap.
Would be best to be running those anyway, since the old stuff was deprecated long ago.
Well, I hard-locked all the systems I tried to install libnss-ldapd along with nslcd: no ssh sessions, no console logins, nada. Once more, a PAM-related issue I guess. Also, it seems that all the info I find out there about how to configure those are either obsolete, very old and in some cases, 'not even wrong' :)
As for being 'deprecated', https://wiki.debian.org/LDAP/NSS claims that:
"In general libnss-ldapd is simpler but newer and libnss-ldap is more mature but more complex...".
The author of nss_ldap and pam_ldap officially abandoned those packages ~9 years ago. Support for those packages was redirected from the authors at PADL.com to Symas.com back in 2007 or so,
At least by April 2007 http://scratchpad.wikia.com/wiki/Ldap?diff=2174401&oldid=129692
and we (Symas) have promoted nss-pam-ldapd and OpenLDAP nssov since 2010.
nss-ldap is not mature, it is dead.
:)
Thanks all for the very interesting remarks and feedback.
jf
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org