[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

[Brian LaMere]

I was a bit disheartened to see this is an actual bug - be it because of
X package or not, of the two workstations at my desk, the fedora13 box
has no problems (and uses nscd) and the ubuntu one does.

Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine.
Regarding Hark's comment about pam_check_host_attr and
pam_check_service_attr (comment #87), I would bet you could solve that
another way.  Solution I already had in place for another reason
entirely was the follows, and works just fine for host-based
restrictions:

1) create a group in ldap for the host "hostgrp" - and put the users in that group you want.
2) use pam_succeed_if.so to restrict to the group you want.
In common-auth, before pam_ldap.so, put:
auth        requisite     pam_succeed_if.so user ingroup hostgrp quiet_success

This will cause pam to only allow someone in group hostgrp to log in.
Remove them from hostgrp, they can't log in.  That's what you're wanting
that nslcd/libnss-ldapd isn't allowing, right?  Well, PAM has been
around longer than nscd/nslcd anyway ;)

BTW, in case it isn't obvious, pam_succeed_if statements can be stacked
- the chain goes one to the next, same as when you're using one mod then
another.

-- 
NSS using LDAP+SSL breaks setuid applications like su and sudo
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.