Name Service Switch (NSS) for LDAP user authentication - possible?

Tomasz Chmielewski mangoo at wpkg.org
Thu Jan 26 17:13:14 UTC 2006


Wim Vinckier schrieb:
> On 1/26/06, Tomasz Chmielewski <mangoo at wpkg.org> wrote:
> 
>>Hello,
>>
>>I'm just developing an "embedded domain controller".
>>It is based on Samba and OpenLDAP, and as an operating system in has
>>Linux OpenWRT / uclibc, which has busybox at its heart.
>>
>>Samba doesn't like such environments very much, and it would be best if
>>it could fetch the users from an LDAP server.
>>
>>As far as I understand, to do this, one needs Name Service Switch.
>>
>>What steps do I have to take to add Name Service Switch to a
>>busybox-based distribution, so that the system could get the users and
>>groups from an LDAP server?


> I don't think you need need nss for this.  On my (normal) servers I
> just use something like:
> <config>
> passdb backend = ldapsam:ldap://myldapserver
> ldap admin dn = cn=admin,dc=example,dc=be
> ldap suffix = dc=example,dc=be
> ldap ssl = no
> </config>
> It uses the ldap connection of samba...

It doesn't work like this.

Samba checks for the users in two places:
- your LDAP directory
- system users

Because you have your LDAP users "mapped" as system users via NSS, Samba 
can verify that the user really exist.

You can check with "getent passwd", "getent shadow" that it'll enumerate 
your users/groups that you have both in LDAP and in /etc/passwd /etc/group.


Change your /etc/nsswitch.conf so that it doesn't look in the LDAP 
directory (and leave smb.conf "ldap" entries intact), and your users 
will be no longer able to login (Samba won't find the system users).


So, now that we know now why it's needed for Samba, does anyone know how 
to do something like that for busybox? :)


-- 
Tomasz Chmielewski
http://wpkg.org



More information about the busybox mailing list