I was a bit disheartened to see this is an actual bug - be it because of
X package or not, of the two workstations at my desk, the fedora13 box
has no problems (and uses nscd) and the ubuntu one does.
Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine.
Regarding Hark's comment about pam_check_host_attr and
pam_check_service_attr (comment #87), I would bet you could solve that
another way. Solution I already had in place for another reason
entirely was the follows, and works just fine for host-based
restrictions:
1) create a group in ldap for the host "hostgrp" - and put the users in that
group you want.
2) use pam_succeed_if.so to restrict to the group you want.
In common-auth, before pam_ldap.so, put:
authrequisite pam_succeed_if.so user ingroup hostgrp quiet_success
This will cause pam to only allow someone in group hostgrp to log in.
Remove them from hostgrp, they can't log in. That's what you're wanting
that nslcd/libnss-ldapd isn't allowing, right? Well, PAM has been
around longer than nscd/nslcd anyway ;)
BTW, in case it isn't obvious, pam_succeed_if statements can be stacked
- the chain goes one to the next, same as when you're using one mod then
another.
--
NSS using LDAP+SSL breaks setuid applications like su and sudo
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
