ldap login and filesystem rights

24 views
Skip to first unread message

rolfijn

unread,
Jan 29, 2007, 5:07:27 AM1/29/07
to openldap
Dear list,

I am in the process of replacing my home-server with a new one. The
server will be a web-, mail- and fileserver. Considering i like a
challenge i am trying get as many apps as possible to authenticate
against the installed ldap server. I've gotten my ldap-server so far
as that i can indeed authenticate against it with an account i created
in the ldap-server which was also available in /etc/passwd. Then i
created a new user in the Directory and tried to login with this
account. It failed. After troubleshooting i found out this is because:
a.) There was no home-directory available and b.) when i create the
home-directrory i am not able to set the right permissions on the
directory.

Now my question is this: I've seen a lot of tutorials on the net
concerning logging in on a linux machine and being authenticated to an
ldap server. However, once logged in what is the purpose when you
can't set the correct permissions on a directory? This because
programs as chgrp and chown don't seem to be ldap-aware and can't use
the ldap data to check whether you are using a correct user- or
groupname as parameter.

Thanks in advance,
Rolf Deenen

DT

unread,
Jan 29, 2007, 5:17:11 AM1/29/07
to openldap
Hello
If you can log in, but cannot operate (after logging in user
information can't be retrieved),
you should probably check your libnss-ldap configuration (/etc/libnss-
ldap.conf).
Remember - if you want your users to be able to "finger" at least
hemselves,
and/or other users, the user which does nss lookup (finger, chmod,
chgrp..) must
have rights to read appropriate ldap branch, which holds this
information..

Chown/chgrp and similar command actually have nothing to do with ldap,
it simply works via nameservice switch (nss) layer, which uses ldap
(or files, or other sources)
to retrieve required information.

Regards,
Piotr

rolfijn

unread,
Jan 29, 2007, 5:58:18 AM1/29/07
to openldap
Hi Piotr,

Thanks for the quick reply. Does your answer mean that, with the
correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
able to set filesystem rights in such a way that they are "consistent"
with the user accounts and groups in my ldap directory?

Rolf

DT

unread,
Jan 29, 2007, 6:22:22 AM1/29/07
to openldap
On Jan 29, 11:58 am, "rolfijn" <rolf...@gmail.com> wrote:
> Hi Piotr,
>
> Thanks for the quick reply. Does your answer mean that, with the
> correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
> able to set filesystem rights in such a way that they are "consistent"
> with the user accounts and groups in my ldap directory?
>
> Rolf
File /etc/nsswitch.conf holds information about the sources,
which are to be used for specific nss queries.
File /etc/libnss-ldap.conf holds information specific
for ldap-based version of nss library.
Operating system uses nameservice switch calls only -
if you do e.g. "chmod pwadas.staff somefile.txt", chmod
does nss lookup, retrieves UID and GID for "pwadas" and "staff",
and then use these values to set ownership on somefile.txt.
If you do ls -al in directory with somefile.txt, and instead
of names you see GID/UID numbers, it means, that for
specific number a user name or group name couldn't be retrieved
via configured nss sources. Regarding flat files /etc/passwd,
it usually means, that there's no line for e.g. user "101" and group
"105",
regarding ldap-nss it means that there was a problem connecting
ldap source, OR ldapsource was contacted, but information
was not found (like with no such line in /etc/passwd), OR - most
common case - you've configured your /etc/libnss-ldap.conf file
with file mode 600, and user "pwadas" of group "staff" cannot
read the information about how to connect to ldap source via nss.
Note, that you can always set ownerships using numbers, like
"chmod 105.101 somefile.txt". And also - "600" mode fo /etc/libnss-
ldap.conf
(read/write by owner - usually root, and nothing for group and others)
is usually used because this file contains some bind DN and password,
for some system user.
You should define some user in ldap for such use, and access list,
which allows these user only "read" of ldap entries (without
userPassword)
attribute - this would be equivalent to
( 644 mode of /etc/passwd AND 600 of /etc/shadow) in flat files case.
Regards,
Piotr Wadas <pwa...@jewish.org.pl>


rolfijn

unread,
Jan 29, 2007, 7:59:22 AM1/29/07
to openldap
Thanks,

This is all the information i needed (and more!).

Rolf Deenen

On Jan 29, 12:22 pm, "DT" <pwa...@jewish.org.pl> wrote:
> On Jan 29, 11:58 am, "rolfijn" <rolf...@gmail.com> wrote:> Hi Piotr,
>
> > Thanks for the quick reply. Does your answer mean that, with the
> > correct adjustments in /etc/libnss-ldap or /etc/nsswitch, i should be
> > able to set filesystem rights in such a way that they are "consistent"
> > with the user accounts and groups in my ldap directory?
>

> > RolfFile /etc/nsswitch.conf holds information about the sources,

Luca Gervasi

unread,
Jan 21, 2011, 3:03:45 AM1/21/11
to open...@googlegroups.com
I used pam_mkdir to create (and skel-populate) the missing home directories on first login. It works quite well and is included in many "major" linux distributions at the moment.

See Ya
Reply all
Reply to author
Forward
0 new messages