ldap login and filesystem rights
rolfijn
I am in the process of replacing my home-server with a new one. The
server will be a web-, mail- and fileserver. Considering i like a
challenge i am trying get as many apps as possible to authenticate
against the installed ldap server. I've gotten my ldap-server so far
as that i can indeed authenticate against it with an account i created
in the ldap-server which was also available in /etc/passwd. Then i
created a new user in the Directory and tried to login with this
account. It failed. After troubleshooting i found out this is because:
a.) There was no home-directory available and b.) when i create the
home-directrory i am not able to set the right permissions on the
directory.
Now my question is this: I've seen a lot of tutorials on the net
concerning logging in on a linux machine and being authenticated to an
ldap server. However, once logged in what is the purpose when you
can't set the correct permissions on a directory? This because
programs as chgrp and chown don't seem to be ldap-aware and can't use
the ldap data to check whether you are using a correct user- or
groupname as parameter.
Thanks in advance,
Rolf Deenen
DT
If you can log in, but cannot operate (after logging in user
information can't be retrieved),
you should probably check your libnss-ldap configuration (/etc/libnss-
ldap.conf).
Remember - if you want your users to be able to "finger" at least
hemselves,
and/or other users, the user which does nss lookup (finger, chmod,
chgrp..) must
have rights to read appropriate ldap branch, which holds this
information..
Chown/chgrp and similar command actually have nothing to do with ldap,
it simply works via nameservice switch (nss) layer, which uses ldap
(or files, or other sources)
to retrieve required information.
Regards,
Piotr
rolfijn
Thanks for the quick reply. Does your answer mean that, with the
correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
able to set filesystem rights in such a way that they are "consistent"
with the user accounts and groups in my ldap directory?
Rolf
DT
> Hi Piotr,
>
> Thanks for the quick reply. Does your answer mean that, with the
> correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
> able to set filesystem rights in such a way that they are "consistent"
> with the user accounts and groups in my ldap directory?
>
> Rolf
which are to be used for specific nss queries.
File /etc/libnss-ldap.conf holds information specific
for ldap-based version of nss library.
Operating system uses nameservice switch calls only -
if you do e.g. "chmod pwadas.staff somefile.txt", chmod
does nss lookup, retrieves UID and GID for "pwadas" and "staff",
and then use these values to set ownership on somefile.txt.
If you do ls -al in directory with somefile.txt, and instead
of names you see GID/UID numbers, it means, that for
specific number a user name or group name couldn't be retrieved
via configured nss sources. Regarding flat files /etc/passwd,
it usually means, that there's no line for e.g. user "101" and group
"105",
regarding ldap-nss it means that there was a problem connecting
ldap source, OR ldapsource was contacted, but information
was not found (like with no such line in /etc/passwd), OR - most
common case - you've configured your /etc/libnss-ldap.conf file
with file mode 600, and user "pwadas" of group "staff" cannot
read the information about how to connect to ldap source via nss.
Note, that you can always set ownerships using numbers, like
"chmod 105.101 somefile.txt". And also - "600" mode fo /etc/libnss-
ldap.conf
(read/write by owner - usually root, and nothing for group and others)
is usually used because this file contains some bind DN and password,
for some system user.
You should define some user in ldap for such use, and access list,
which allows these user only "read" of ldap entries (without
userPassword)
attribute - this would be equivalent to
( 644 mode of /etc/passwd AND 600 of /etc/shadow) in flat files case.
Regards,
Piotr Wadas <pwa...@jewish.org.pl>
rolfijn
This is all the information i needed (and more!).
Rolf Deenen
On Jan 29, 12:22 pm, "DT" <pwa...@jewish.org.pl> wrote:
> On Jan 29, 11:58 am, "rolfijn" <rolf...@gmail.com> wrote:> Hi Piotr,
>
> > Thanks for the quick reply. Does your answer mean that, with the
> > correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
> > able to set filesystem rights in such a way that they are "consistent"
> > with the user accounts and groups in my ldap directory?
>
> > RolfFile /etc/nsswitch.conf holds information about the sources,
