Linux: /etc/nslcd.conf gets re-written and LDAP stops working
Googlefood. Not interesting to most people.
I’ve had to deal with a problem on RedHat derived Linux distros for a while now, and finally got frustrated enough to fix the problem.
Symptom:
Your /etc/nslcd.conf file gets modified. You are unable to log into your system. Your blood pressure rises.
You see the following comment in your /etc/nslcd.conf file, which seems to make you think adding the comment in the first place would help; it does not.
# This comment prevents repeated auto-migration of settings.
Cause:
The RPM “nss-pam-ldapd” oh-so-helpfully decides “Hey, let me write your /etc/nslcd.conf file for you.” It doesn’t bother to notice that your file was just fine before it goes and messes it up.
What is really happening:
The RPM looks for these files in order, taking the first one it finds as the “source” file for modifying your nslcd.conf file:
- /etc/nss-ldapd.conf
- /etc/nss_ldap.conf
- /etc/pam_ldap.conf
- /etc/ldap.conf
It then comments out every “url” or “host” or “base” line in your /etc/nslcd.conf file, and replaces them with the lines from whichever of the above files it previously found. (Technically, it comments out “url” or “host” based on which one it finds first.)
Workaround:
Pick the earliest one of those files you don’t already use, and ensure that it has the same contents as your nslcd.conf file. That way, when it re-writes the /etc/nslcd.conf file, you end up with the same output.
Alternatively, pick the earliest one you do use and make sure the contents are the same. This, however, can lead to breakage.
Potential breakage:
Note this RPM script is making an assumption that all the files it can use as a “template” have the same syntax as the nslcd.conf file. This is where it can cause a problem.
In my particular case, /etc/pam_ldap.conf was the first file it latched onto. It then decided to comment out all the “base” lines in my nslcd.conf file and replace it with the base line from pam_ldap.conf. The problem is that these files have different syntax; for example, nslcd.conf allows you to set the base for different searches:
# nslcd.conf
# These lines get commented out
base group ou=groups,dc=example,dc=com
base passwd ou=users,dc=example,dc=com
However, these are invalid lines in the pam_ldap.conf file according to the man page — pam_ldap.conf only allows setting a default base
# pam_ldap.conf
# Note lack of "base group" and "base passwd"
# because these are invalid in pam_ldap.conf
base dc=example,dc=com
Then, when it re-writes my nslcd.conf file, I got the following, meaning nslcd didn’t know how to find the user or group maps in LDAP, and thus users were unable to login:
# This comment prevents repeated auto-migration of settings.
# base group ou=groups,dc=example,dc=com
# base passwd ou=users,dc=example,dc=com
base dc=example,dc=com
Reference: Relevant code from the SPEC file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
if test -f /var/run/nss-pam-ldapd.migrate; then rm -f /var/run/nss-pam-ldapd.migrate if test -s /etc/nss-ldapd.conf ; then source=/etc/nss-ldapd.conf elif test -s /etc/nss_ldap.conf ; then source=/etc/nss_ldap.conf elif test -s /etc/pam_ldap.conf ; then source=/etc/pam_ldap.conf else source=/etc/ldap.conf fi if egrep -q '^uri[[:blank:]]' $source 2> /dev/null ; then # Comment out the packaged default host/uri and replace it... sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target # ... with the uri. egrep '^uri[[:blank:]]' $source >> $target elif egrep -q '^host[[:blank:]]' $source 2> /dev/null ; then # Comment out the packaged default host/uri and replace it... sed -i -r -e 's,^((host|uri)[[:blank:]].*),# \1,g' $target # ... with the "host" reformatted as a URI. scheme=ldap # check for 'ssl on', which means we want to use ldaps:// if egrep -q '^ssl[[:blank:]]+on$' $source 2> /dev/null ; then scheme=ldaps fi egrep '^host[[:blank:]]' $source |\ sed -r -e "s,^host[[:blank:]](.*),uri ${scheme}://\1/,g" >> $target fi # Base doesn't require any special logic. if egrep -q '^base[[:blank:]]' $source 2> /dev/null ; then # Comment out the packaged default base and replace it. sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target egrep '^base[[:blank:]]' $source >> $target fi # Pull in these settings, if they're set, directly. egrep '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]' $source 2> /dev/null >> $target || : egrep '^(tls_)' $source 2> /dev/null >> $target || : egrep '^(timelimit|bind_timelimit|idle_timelimit)[[:blank:]]' $source 2> /dev/null >> $target || : |
Leave a Reply