Migrating from NIS to LDAP, some questions..

J

jyavenard

I have migrated from NIS to LDAP a short while ago, and there's one thing I'm not too happy with.

With NIS and compat is /etc/nsswitch.conf ; you could override stuff like shells by having an entry in /etc/master.passwd starting with a +

like:
Code: 
+jya:*:::::::/bin/sh

+ indicated to check in NIS , and replace the shell for that particular user.
I could put an entry like:
Code: 
+:::::::::/usr/sbin/nologin

And no-one would have access to that machine, but users declared above that entry.

I have tried changins nsswitch.conf to reproduce such behaviour, and to some extent it does work.
Code: 
server4# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1 2009/08/03 08:13:06 kensmith Exp $
#
group: compat
group_compat: ldap
hosts: files dns
networks: files
passwd: compat
passwd_compat: ldap
shells: files
services: files
protocols: files
rpc: files

However, with this configuration, there are plenty of downside. For a start, user aliases do not work. I can't do su - another user (password is always refused)

What would be the best approach to have a straight replacement of nis with ldap for such matter ?

So I can override some login properties easily ?

Thank you
JY
 
Read the nsswitch.conf(5) man page. Under compat mode: +/- syntax, you can do:

Code: 
passwd: compat
passwd_compat: ldap

And that *should* work the way you want it to. You can use the exact same syntax you would with the NIS domain, but using LDAP as the source.
 
Hi there.

Unfortunately, it doesn't :(

I read the nsswitch.conf man page many many time :P ; it's a bit confusing, it only mentions compat in reference to NIS

If passwd in nsswitch.conf is configured with files ldap as a source

It's all dandy.

I can log in with any user names as stored in the LDAP server, including username aliases.

If I set passwd to use compat, and passwd_compat is set for ldap

Then I can only login using the primary username, not using any aliases.
This leads to samba failing with windows client, as the username they use to login on the domain is an alias (e.g. primary username is in the shape u0000xxxx , while they login with first.last)

For example, my primary username in ldap is jeanyves_avenard, avenardj is an alias
Code: 
$cat /etc/nsswitch.conf
group: files ldap
#group_compat: ldap
hosts: files dns
networks: files
passwd: compat
passwd_compat: ldap
shells: files
services: files
protocols: files
rpc: files

$cd ~avenardj
Unknown user: avenardj.
$smbclient -U avenardj //server4/homes
Enter avenardj's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

$smbclient -U jeanyves_avenard //server4/homes
Enter jeanyves_avenard's password: 
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.8]
smb: \>

However, if I change /etc/nsswitch.conf to not use compat:
Code: 
> cat /etc/nsswitch.conf
group: files ldap
#group_compat: ldap
hosts: files dns
networks: files
passwd: files ldap
#passwd_compat: ldap
shells: files
services: files
protocols: files
rpc: files

$cd ~avenardj
$smbclient -U avenardj //server4/homes
Enter avenardj's password: 
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.8]
smb: \>

using compat unfortunately, breaks stuff. It's unfortunate as the convenience of being able to override some users properties using /etc/master.passwd is invaluable.

Jean-Yves
 
You must log in or register to reply here.
Back
Top