Is Nscd required on the client for accessing an LDAP server without anonymous access?

linux ubuntu ldap ubuntu-18.04

I have an Ubuntu-18.04 machine that I need to setup to access an LDAP server that does not support anonymous lookups.

I'm wondering if Nscd is required to be running on this Ubuntu client?

Most of the guides I've found have suggested that everything should be working without Nscd running, but this doesn't seem to be the case for me.

In order to set this up, I've installed the following packages: libnss-ldap, libpam-ldap, ldap-auth-config, and nscd.

My /etc/ldap.conf looks like the following:

base dc=mycompany,dc=com
uri ldap://192.168.3.123
ldap_version 3
rootbinddn cn=admin,dc=mycompany,dc=com
pam_password md5

My /etc/ldap.secret contains the correct root bind DN credentials.

My /etc/nsswitch.conf looks like the following:

passwd:         compat systemd ldap
group:         compat systemd ldap
shadow:         compat
gshadow:        files
...

The files /etc/etc/pam.d/common-password, /pam.d/common-auth, and /etc/pam.d/common-account contain the following lines:

auth     [success=1 default=ignore]      pam_ldap.so use_first_pass

account       [success=1 default=ignore]      pam_ldap.so 

password     [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

I'm able to explicitly query the LDAP server using the following command and authenticating as the admin user (using the password from the /etc/ldap.secret file):

$ ldapsearch -L -H ldap://192.168.3.123 -D 'cn=admin,dc=mycompany,dc=com' -W -b 'dc=mycompany,dc=com' uid=myuser

I'm also able to explicitly query the LDAP server using the following command and authenticating as myself (using my own LDAP password):

$ ldapsearch -L -H ldap://192.168.3.123 -D 'uid=myuser,ou=people,dc=mycompany,dc=com' -W -b 'dc=mycompany,dc=com' uid=myuser

With nscd running, I'm able to run the following getent command to query information about my own user. I'm able to run this command both as my own user and as root:

$ getent passwd myuser
myuser:x:1000062:1000000:My User:/home/myuser:/bin/bash
$ sudo getent passwd myuser
myuser:x:1000062:1000000:My User:/home/myuser:/bin/bash

However, if I stop nscd, then I can no longer run the getent command as my normal user. It still works when run as root:

$ sudo systemctl stop nscd
$ getent passwd myuser
$ sudo getent passwd myuser
myuser:x:1000062:1000000:My User:/home/myuser:/bin/bash

When running getent as my normal user with nscd not running, I get the following messages in the systemd journal:

getent[11347]: nss_ldap: failed to bind to LDAP server ldap://192.168.3.123: Inappropriate authentication
getent[11347]: nss_ldap: reconnecting to LDAP server...
getent[11347]: nss_ldap: could not search LDAP server - Server is unavailable

My guess as to why this is happening is because when nscd is running, it acts as a middleman and successfully connects to my LDAP server, authenticating as the admin user. When running getent as my normal user with nscd running, this all happens transparently.

However, with nscd not running, then getent doesn't know to either ask me for the LDAP password of my user, or somehow just use the LDAP password for my user when querying the LDAP server.

When running getent as root, getent just knows to read /etc/ldap.secret and use it to authenticate with the LDAP server.

Is there a way to setup the system so that commands like getent work for normal users without relying on nscd running? Is anonymous access to LDAP required for cases like this?


Solution 1:

Is there a way to setup the system so that commands like getent work for normal users without relying on nscd running?

Simply yes.

nscd is just a caching demon for all NSS maps. In fact it does not know anything about LDAP or any other protocol used to retrieve map data from remote servers.

getent[11347]: nss_ldap: failed to bind to LDAP server

If you're LDAP server is currently not available you cannot retrieve any map data from there.

Probably you still have cached entries in nscd's database (see /var/lib/nscd or similar directory). If nscd is not running it cannot serve its cache data. If it's running it will serve its cached data until cache TTL is reached (see /etc/nscd.conf).

It's simple like that.

Don't follow outdated how-tos using PADL's nss_ldap and pam_ldap. Rather look at running sssd or nss-pam-ldapd.

The reason is that nss_ldap and pam_ldap are directly linked into each process, e.g. getent. Thus if stricter file permissions are used for file ldap.conf this won't work for every process accessing the NSS maps. Furthermore LDAP connections are not cached giving you really bad performance.

In case you accessed a NSS map as user root before and the result got cached it would also work for other users accessing a cache map entry. But not without nscd running and with rather unreliable cached results.

Related

how do I see when a cloudsql instance was created
How to automatically deploy new docker images from dockerhub to kubernetes?
Set static IP in OpenVPN
ssh and git pull from remote server
ZyXEL NSA310S - most recent ownCloud version possible to run
Google Apps with AD FS 3.0 Sign out problems
Cisco IPSec Issue with Windows 10
apache (httpd) - How to set rewrite URL [duplicate]
Can't restore master/slave replication from Percona backup (slave server)
How to connect to remote mysql through two ssh tunnels?
Event ID 6009: is this event triggered only when a user-initiated shutdown has occurred?
Intermittent connection failures to Kubernetes service on GKE