I have a test that creates a user in LDAP with /bin/bash and I then modify the ldap attributes to /bin/noshell but the results from getent and ldapsearch are inconsistent for the shell.
This user does not exists in /etc/passwd.
When I do a ‘getent check72 passwd’ I get:
check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash
But when I do a ldapsearch command I get:
# check72, people, wh.local
dn: uid=check72,ou=people,dc=wh,dc=local
uid: check72
cn: Johnny Appleseed
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k=
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
uidNumber: 6072
gidNumber: 6072
homeDirectory: /home/check72
loginShell: /bin/noshell
# check72, group, wh.local
dn: cn=check72,ou=group,dc=wh,dc=local
objectClass: posixGroup
objectClass: top
cn: check72
gidNumber: 6072
userPassword:: e0NSWVBUfXg=
I have restarted slapd and nscd, any clue? Thanks in advance.
My nsswitch.conf looks like this:
passwd: files sss ldap
shadow: files sss ldap
group: files sss
Here are my packages installed related to nss
nss.x86_64 3.13.6-2.el6_3 @updates
nss-pam-ldapd.x86_64 0.7.5-15.el6_3.2
nss-softokn.x86_64 3.12.9-11.el6 @anaconda-CentOS-201207061011.x86_64/6.3
nss-softokn-freebl.x86_64
nss-sysinit.x86_64 3.13.6-2.el6_3 @updates
nss-tools.x86_64 3.13.6-2.el6_3 @updates
nss-util.x86_64 3.13.6-1.el6_3 @updates
Any help will be greatly appreciated.
Best Answer
The
nss-pam-ldapdpackage allows LDAP directory servers to be used as a primary source of name service information. When I would run 'getent passwd', I would only see the users from the/etc/passwdfile. When I started the/etc/init.d/nslcdservice and then issued the 'getent passwd' command, I then saw all LDAP users and system users and the shells were synced.The service did not start when I installed the nss-pam-ldapd package, I manually started it, and now everything works like a charm.
Also the order of the
/etc/nsswitch.confwas very important: