I was a bit disheartened to see this is an actual bug - be it because of X package or not, of the two workstations at my desk, the fedora13 box has no problems (and uses nscd) and the ubuntu one does.
Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine. Regarding Hark's comment about pam_check_host_attr and pam_check_service_attr (comment #87), I would bet you could solve that another way. Solution I already had in place for another reason entirely was the follows, and works just fine for host-based restrictions: 1) create a group in ldap for the host "hostgrp" - and put the users in that group you want. 2) use pam_succeed_if.so to restrict to the group you want. In common-auth, before pam_ldap.so, put: auth requisite pam_succeed_if.so user ingroup hostgrp quiet_success This will cause pam to only allow someone in group hostgrp to log in. Remove them from hostgrp, they can't log in. That's what you're wanting that nslcd/libnss-ldapd isn't allowing, right? Well, PAM has been around longer than nscd/nslcd anyway ;) BTW, in case it isn't obvious, pam_succeed_if statements can be stacked - the chain goes one to the next, same as when you're using one mod then another. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs