3

I have a test that creates a user in LDAP with /bin/bash and I then modify the ldap attributes to /bin/noshell but the results from getent and ldapsearch are inconsistent for the shell. This user does not exists in /etc/passwd.

When I do a ‘getent check72 passwd’ I get:

check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash

But when I do a ldapsearch command I get:

# check72, people, wh.local
dn: uid=check72,ou=people,dc=wh,dc=local
uid: check72
cn: Johnny Appleseed
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k=
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
uidNumber: 6072
gidNumber: 6072
homeDirectory: /home/check72
loginShell: /bin/noshell

# check72, group, wh.local
dn: cn=check72,ou=group,dc=wh,dc=local
objectClass: posixGroup
objectClass: top
cn: check72
gidNumber: 6072
userPassword:: e0NSWVBUfXg=

I have restarted slapd and nscd, any clue? Thanks in advance.

My nsswitch.conf looks like this:

passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss

Here are my packages installed related to nss

nss.x86_64              3.13.6-2.el6_3  @updates                                
nss-pam-ldapd.x86_64    0.7.5-15.el6_3.2
nss-softokn.x86_64      3.12.9-11.el6   @anaconda-CentOS-201207061011.x86_64/6.3
nss-softokn-freebl.x86_64
nss-sysinit.x86_64      3.13.6-2.el6_3  @updates                                
nss-tools.x86_64        3.13.6-2.el6_3  @updates                                
nss-util.x86_64         3.13.6-1.el6_3  @updates

Any help will be greatly appreciated.

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
usa ims
  • 361
  • 1
  • 7
  • 14
  • 2
    Have you tried to clear the `nscd` cache with `nscd -i passwd`? – Sven Mar 08 '13 at 23:35
  • It would be good to mention your [initial question](http://serverfault.com/q/486052/152073) to avoid duplication of effort. (@SvenW: yes, they did) – Andrew B Mar 08 '13 at 23:50
  • Your other question mentions that the problem seemed to temporarily clear up but was not permanently resolved by clearing the `nscd` cache. By any chance do you have multiple LDAP servers defined, and have you made sure that the data is sync between them? – Andrew B Mar 08 '13 at 23:55
  • I only have one single ldap server. – usa ims Mar 09 '13 at 00:51
  • The other question was resolved, it was about not letting ldap accounts authenticate via ssh with a bogus shell, that has been fixed with nscd -i passwd. – usa ims Mar 09 '13 at 00:52
  • This question is about inconsistencies between getent and the ldapsearch command. – usa ims Mar 09 '13 at 00:53
  • I'm assuming there's a typo in your cut/paste where the result of ldapsearch has the attribute oginShell, rather than the attribute loginShell ? :) As tentatively, with a lack of a loginShell attribute nss/sss might fill in the blank for you with /bin/bash. – Kjetil Joergensen Mar 09 '13 at 01:27
  • Yes, that is a typo from a copy and paste. – usa ims Mar 09 '13 at 22:31

1 Answers1

2

The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. When I would run 'getent passwd', I would only see the users from the /etc/passwd file. When I started the /etc/init.d/nslcd service and then issued the 'getent passwd' command, I then saw all LDAP users and system users and the shells were synced.

The service did not start when I installed the nss-pam-ldapd package, I manually started it, and now everything works like a charm.

Also the order of the /etc/nsswitch.conf was very important:

 passwd:     files ldap sss   
 shadow:     files ldap sss   
 group:      files sss
NoelProf
  • 130
  • 5
usa ims
  • 361
  • 1
  • 7
  • 14