Showing source for: http://search.osakos.com/cache.php?key=c0792b69d674164f3134f6a4d8b0fd4b&uri=https://demo.qkseo.in/profile.php?id%3D941042
Duration: 1.035007s
Server: nginx

<html>
    <head>
        <base href="https://wiki.debian.org/LDAP">
        <link href="/htdocs/favicon.ico" rel="shortcut icon">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <meta content="index,nofollow" name="robots">
        <title>
            LDAP/NSS - Debian Wiki
        </title>
        <link charset="utf-8" href="/htdocs/debwiki/css/common.css" media="all" rel="stylesheet" type="text/css">
        <link charset="utf-8" href="/htdocs/debwiki/css/screen.css" media="screen" rel="stylesheet" type="text/css">
        <link charset="utf-8" href="/htdocs/debwiki/css/print.css" media="print" rel="stylesheet" type="text/css">
        <link charset="utf-8" href="/htdocs/debwiki/css/projection.css" media="projection" rel="stylesheet" type="text/css">
        <link charset="utf-8" href="/htdocs/debian-wiki-1.0.css" media="all" rel="stylesheet" type="text/css">
        <!-- css only for MS IE6/IE7 browsers -->
        <!--[if lt IE 8]>
            <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/msie.css">
<![endif]-->
        <link href="/LDAP/NSS?diffs=1&amp;show_att=1&amp;action=rss_rc&amp;unique=0&amp;page=LDAP%2FNSS&amp;ddiffs=1" rel="alternate" title="Debian Wiki: LDAP/NSS" type="application/rss+xml">
        <link href="/FrontPage" rel="Start">
        <link href="/LDAP/NSS?action=raw" rel="Alternate" title="Wiki Markup">
        <link href="/LDAP/NSS?action=print" media="print" rel="Alternate" title="Print View">
        <link href="/LDAP" rel="Up">
        <link href="/FindPage" rel="Search">
        <link href="/TitleIndex" rel="Index">
        <link href="/WordIndex" rel="Glossary">
        <link href="/HelpOnFormatting" rel="Help">
    </head>
    <body dir="ltr" lang="en">
        <div id="logo">
            <a href="https://www.debian.org" title="Debian Homepage">
            </a>
            <a alt="Debian" height="61" href="https://www.debian.org/Pics/openlogo-50.png" target="_blank" width="50">
                <img border="0" src="http://search.osakos.com/cache.php?key=c0792b69d674164f3134f6a4d8b0fd4b&amp;uri=https://demo.qkseo.in/images/replacer.gif">
            </a>
        </div>
        <div id="header">
            <div id="wikisection">
                <p class="section">
                    <a href="/FrontPage" title="Debian Wiki Homepage">
      Wiki
                    </a>
                </p>
                <div id="username">
                    <a href="/LDAP/NSS?action=login" id="login" rel="nofollow">
                        Login
                    </a>
                </div>
            </div>
            <div id="navbar">
                <ul id="navibar">
                    <li class="wikilink">
                        <a href="/FrontPage">
                            FrontPage
                        </a>
                    </li>
                    <li class="wikilink">
                        <a href="/RecentChanges">
                            RecentChanges
                        </a>
                    </li>
                    <li class="wikilink">
                        <a href="/FindPage">
                            FindPage
                        </a>
                    </li>
                    <li class="wikilink">
                        <a href="/HelpContents">
                            HelpContents
                        </a>
                    </li>
                    <li class="current">
                        <a href="/LDAP/NSS">
                            LDAP/NSS
                        </a>
                    </li>
                </ul>
            </div>
            <form action="/LDAP/NSS" id="searchform" method="get">
                <div>
                    <input name="action" type="hidden" value="fullsearch">
                    <input name="context" type="hidden" value="180">
                    <label for="searchinput" style="display: none;">
                        Search:
                    </label>
                    <input alt="Search" class="disabled" id="searchinput" name="value" onblur="searchBlur(this)" onchange="searchChange(this)" onfocus="searchFocus(this)" onkeyup="searchChange(this)" size="20" type="text" value="">
                    <input alt="Search Titles" disabled="" id="titlesearch" name="titlesearch" type="submit" value="Titles">
                    <input alt="Search Full Text" disabled="" id="fullsearch" name="fullsearch" type="submit" value="Text">
                </div>
            </form>
            <div id="logo">
                <a href="https://www.debian.org" title="Debian Homepage">
                </a>
                <a alt="Debian" height="61" href="https://www.debian.org/Pics/openlogo-50.png" target="_blank" width="50">
                    <img border="0" src="http://search.osakos.com/cache.php?key=c0792b69d674164f3134f6a4d8b0fd4b&amp;uri=https://demo.qkseo.in/images/replacer.gif">
                </a>
            </div>
            <div id="breadcrumbs">
                <a href="/FrontPage" title="Debian Wiki Homepage">
                    Wiki
                </a>
                <span class="sep">
                    /
                </span>
            </div>
            <ul class="editbar">
                <li>
                    <a href="/LDAP/NSS?action=login" id="login-1" rel="nofollow">
                        Login
                    </a>
                </li>
                <li class="toggleCommentsButton" style="display:none;">
                    <a class="nbcomment" href="#" onclick="toggleComments();return false;">
                        Comments
                    </a>
                </li>
                <li>
                    <a class="nbinfo" href="/LDAP/NSS?action=info" rel="nofollow">
                        Info
                    </a>
                </li>
                <li>
                    <a class="nbattachments" href="/LDAP/NSS?action=AttachFile" rel="nofollow">
                        Attachments
                    </a>
                </li>
                <li>
                    <form action="/LDAP/NSS" class="actionsmenu" method="GET">
                        <div>
                            <select name="action" onchange="if ((this.selectedIndex != 0) &amp;&amp;
                      (this.options[this.selectedIndex].disabled == false)) {
                      this.form.submit();
                      }
                      this.selectedIndex = 0;">
                                <option value="show">
                                    More Actions:
                                </option>
                                <option value="raw">
                                    Raw Text
                                </option>
                                <option value="print">
                                    Print View
                                </option>
                                <option value="RenderAsDocbook">
                                    Render as Docbook
                                </option>
                                <option value="refresh">
                                    Delete Cache
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    ------------------------
                                </option>
                                <option value="SpellCheck">
                                    Check Spelling
                                </option>
                                <option value="LikePages">
                                    Like Pages
                                </option>
                                <option value="LocalSiteMap">
                                    Local Site Map
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    ------------------------
                                </option>
                                <option class="disabled" disabled="" value="RenamePage">
                                    Rename Page
                                </option>
                                <option class="disabled" disabled="" value="DeletePage">
                                    Delete Page
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    ------------------------
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    Subscribe User
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    ------------------------
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    Remove Spam
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    Revert to this revision
                                </option>
                                <option value="PackagePages">
                                    Package Pages
                                </option>
                                <option class="disabled" disabled="" value="show">
                                    ------------------------
                                </option>
                                <option value="Load">
                                    Load
                                </option>
                                <option value="Save">
                                    Save
                                </option>
                                <option value="SlideShow">
                                    SlideShow
                                </option>
                            </select>
                        </div>
                    </form>
                </li>
            </ul>
            <h1 id="locationline">
                <ul id="pagelocation">
                    <li>
                        <a href="/LDAP">
                            LDAP
                        </a>
                    </li>
                    <li>
                        <a href="/LDAP/NSS">
                            NSS
                        </a>
                    </li>
                </ul>
            </h1>
        </div>
        <div dir="ltr" id="page" lang="en">
            <div dir="ltr" id="content" lang="en">
                <span class="anchor" id="top">
                </span>
                <span class="anchor" id="line-1">
                </span>
                <span class="anchor" id="line-2">
                </span>
                <div>
                    <table style="&amp;quot; width: 100%; &amp;quot;">
                        <tbody>
                            <tr>
                                <td style="&amp;quot; border: 0px hidden&amp;quot;">
                                    <p class="line891">
                                        <small>
                                            <a href="/DebianWiki/EditorGuide#Translations">
                                                Translation(s)
                                            </a>
                                            :
                                            <a href="/fr/LDAP/NSS">
                                                Fran&Atilde;&sect;ais
                                            </a>
                                        </small>
                                    </p>
                                </td>
                                <td style="&amp;quot; text-align: right; border: 0px hidden&amp;quot;">
                                    <p class="line862">
                                        <a href="/htdocs/debwiki/img/idea.png" title="(!)" width="16">
                                        </a>
                                        <a class="nonexistent" href="/LDAP/NSS/Discussion" target="_blank">
                                            <img border="0" src="http://search.osakos.com/cache.php?key=c0792b69d674164f3134f6a4d8b0fd4b&amp;uri=https://demo.qkseo.in/images/replacer.gif">
                                        </a>
                                        ?Discussion
                                    </p>
                                </td>
                            </tr>
                        </tbody>
                    </table>
                </div>
                <span class="anchor" id="line-3">
                </span>
                <p class="line867">
                </p>
                <hr>
                <p class="line874">
                    <span class="anchor" id="line-4">
                    </span>
                    <span class="anchor" id="line-5">
                    </span>
                </p>
                <p class="line867">
                </p>
                <div class="table-of-contents">
                    <p class="table-of-contents-heading">
                        Contents
                    </p>
                    <ol>
                        <li>
                            <a href="#Configuring_LDAP_Authentication">
                                Configuring LDAP Authentication
                            </a>
                            <ol>
                                <li>
                                    <a href="#On_running_nscd">
                                        On running nscd
                                    </a>
                                </li>
                                <li>
                                    <a href="#NSS_Setup_with_libnss-ldap">
                                        NSS Setup with libnss-ldap
                                    </a>
                                </li>
                                <li>
                                    <a href="#NSS_Setup_with_libnss-ldapd">
                                        NSS Setup with libnss-ldapd
                                    </a>
                                </li>
                                <li>
                                    <a href="#Verify_that_NSS_is_operational">
                                        Verify that NSS is operational
                                    </a>
                                </li>
                                <li>
                                    <a href="#Offline_caching_of_NSS_with_nscd">
                                        Offline caching of NSS with nscd
                                    </a>
                                </li>
                            </ol>
                        </li>
                    </ol>
                </div>
                <span class="anchor" id="line-6">
                </span>
                <span class="anchor" id="line-7">
                </span>
                <span class="anchor" id="line-8">
                </span>
                <p class="line867">
                </p>
                <h1 id="Configuring_LDAP_Authentication">
                    Configuring LDAP Authentication
                </h1>
                <span class="anchor" id="line-9">
                </span>
                <span class="anchor" id="line-10">
                </span>
                <p class="line862">
                    This page describes the steps needed to get user names, groups and other information that is usually stored in flat files in
                    <tt>
                        /etc
                    </tt>
                    or NIS from an LDAP server. This information is exposed through NSS (Name Services Switch) as configured in
                    <tt>
                        /etc/nsswitch.conf
                    </tt>
                    .
                    <span class="anchor" id="line-11">
                    </span>
                    <span class="anchor" id="line-12">
                    </span>
                </p>
                <p class="line862">
                    The following databases can be served from LDAP:
                    <strong>
                        aliases
                    </strong>
                    (mail aliases, ignored by most mail daemons),
                    <strong>
                        ethers
                    </strong>
                    (ethernet numbers),
                    <strong>
                        group
                    </strong>
                    (groups of users),
                    <strong>
                        hosts
                    </strong>
                    (host names and numbers),
                    <strong>
                        netgroup
                    </strong>
                    (host and user groups used for access controls),
                    <strong>
                        networks
                    </strong>
                    (network names and numbers),
                    <strong>
                        passwd
                    </strong>
                    (users),
                    <strong>
                        protocols
                    </strong>
                    (network protocols),
                    <strong>
                        rpc
                    </strong>
                    (remote procedure call names and numbers),
                    <strong>
                        services
                    </strong>
                    (network service names and numbers) and
                    <strong>
                        shadow
                    </strong>
                    (shadow user passwords).
                    <span class="anchor" id="line-13">
                    </span>
                    <span class="anchor" id="line-14">
                    </span>
                </p>
                <p class="line862">
                    There are currently two packages available to configure NSS lookups through LDAP: the
                    <a class="interwiki" href="https://packages.debian.org/libnss-ldap" title="DebPkg">
                        libnss-ldap
                    </a>
                    package and the
                    <a class="interwiki" href="https://packages.debian.org/libnss-ldapd" title="DebPkg">
                        libnss-ldapd
                    </a>
                    package. Which one to choose depends on the needs. In general
                    <tt>
                        libnss-ldapd
                    </tt>
                    is simpler but newer and
                    <tt>
                        libnss-ldap
                    </tt>
                    is more mature but more complex. Also
                    <tt>
                        libnss-ldap
                    </tt>
                    has some known issues with serving host information and lookups during boot which should be addressed in
                    <tt>
                        libnss-ldapd
                    </tt>
                    . In addition,
                    <tt>
                        libnss-ldap
                    </tt>
                    breaks setuid programs (su, sudo) when using LDAP+SSL (see
                    <a class="interwiki closed-bug" href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647" title="Closed in 1.5.4-3+rm: #579647: nss-ldap changing uid due to using gcrypt somewhere...">
                        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647
                    </a>
                    ).
                    <span class="anchor" id="line-15">
                    </span>
                    <span class="anchor" id="line-16">
                    </span>
                </p>
                <p class="line867">
                </p>
                <h2 id="On_running_nscd">
                    On running nscd
                </h2>
                <span class="anchor" id="line-17">
                </span>
                <span class="anchor" id="line-18">
                </span>
                <p class="line862">
                    For debugging it is recommended to
                    <strong>
                        not
                    </strong>
                    to run
                    <tt>
                        nscd
                    </tt>
                    (the Name Service Caching Daemon) because
                    <tt>
                        nscd
                    </tt>
                    can mask problems by serving entries from it's cache. Either don't install the
                    <tt>
                        nscd
                    </tt>
                    package until it is clear that everything is functional or stop
                    <tt>
                        nscd
                    </tt>
                    with
                    <span class="anchor" id="line-19">
                    </span>
                    <span class="anchor" id="line-20">
                    </span>
                    <span class="anchor" id="line-21">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1"></span>  # /etc/init.d/nscd stop</pre>
                <span class="anchor" id="line-22">
                </span>
                <span class="anchor" id="line-23">
                </span>
                <p class="line862">
                    However, running
                    <tt>
                        nscd
                    </tt>
                    is required when using
                    <tt>
                        libnss-ldap
                    </tt>
                    and permissions of
                    <tt>
                        /etc/libnss-ldap.conf
                    </tt>
                    do not allow normal users to read the file (e.g. when using the
                    <tt>
                        bindpw
                    </tt>
                    option). Certain versions of
                    <tt>
                        libnss-ldap
                    </tt>
                    have been known to set restrictive permissions on this file. Note that not all NSS lookups will go through nscd (only
                    <tt>
                        passwd
                    </tt>
                    ,
                    <tt>
                        group
                    </tt>
                    and
                    <tt>
                        host
                    </tt>
                    ) so this may not work in all circumstances.
                    <span class="anchor" id="line-24">
                    </span>
                    <span class="anchor" id="line-25">
                    </span>
                </p>
                <p class="line862">
                    For production use it is recommended to run
                    <tt>
                        nscd
                    </tt>
                    as it saves on doing lookups to the LDAP server. You may consider tuning the time-to-live values of the cache in
                    <tt>
                        /etc/nscd.conf
                    </tt>
                    if you need to pick up changes in the LDAP directory quickly (through the defaults are fine in most circumstances).
                    <span class="anchor" id="line-26">
                    </span>
                    <span class="anchor" id="line-27">
                    </span>
                </p>
                <p class="line867">
                </p>
                <h2 id="NSS_Setup_with_libnss-ldap">
                    NSS Setup with libnss-ldap
                </h2>
                <span class="anchor" id="line-28">
                </span>
                <span class="anchor" id="line-29">
                </span>
                <p class="line874">
                    Install the package:
                    <span class="anchor" id="line-30">
                    </span>
                    <span class="anchor" id="line-31">
                    </span>
                    <span class="anchor" id="line-32">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-1"></span>  # apt-get install libnss-ldap</pre>
                <span class="anchor" id="line-33">
                </span>
                <span class="anchor" id="line-34">
                </span>
                <p class="line862">
                    Be sure to read the docs that are installed in
                    <tt>
                        /usr/share/doc/libnss-ldap/
                    </tt>
                    <span class="anchor" id="line-35">
                    </span>
                    <span class="anchor" id="line-36">
                    </span>
                </p>
                <p class="line862">
                    If you plan to do hostname lookups through LDAP you should add the hostname of your LDAP server in
                    <tt>
                        /etc/hosts
                    </tt>
                    (even if you use an IP address to configure the connection to the server). Without this nasty things happen on bootup as things attempt to use LDAP which recurses on itself looking up the hostname.
                    <span class="anchor" id="line-37">
                    </span>
                    <span class="anchor" id="line-38">
                    </span>
                </p>
                <p class="line862">
                    Edit
                    <tt>
                        /etc/libnss-ldap.conf
                    </tt>
                    to include al least the following (replace the values with options that are specific to your environment):
                    <span class="anchor" id="line-39">
                    </span>
                    <span class="anchor" id="line-40">
                    </span>
                    <span class="anchor" id="line-41">
                    </span>
                    <span class="anchor" id="line-42">
                    </span>
                    <span class="anchor" id="line-43">
                    </span>
                    <span class="anchor" id="line-44">
                    </span>
                    <span class="anchor" id="line-45">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-2"></span>  # Your LDAP server. Must be resolvable without using LDAP.
<span class="anchor" id="line-2"></span>  uri ldap://10.0.0.1
<span class="anchor" id="line-3"></span>
<span class="anchor" id="line-4"></span>  # The distinguished name of the search base.
<span class="anchor" id="line-5"></span>  base dc=&lt;your&gt;,dc=&lt;domain&gt;</pre>
                <span class="anchor" id="line-46">
                </span>
                <span class="anchor" id="line-47">
                </span>
                <p class="line862">
                    If you specified
                    <tt>
                        rootbinddn
                    </tt>
                    you need to put the LDAP admin password in
                    <tt>
                        /etc/ldap.secret
                    </tt>
                    with mode 600 (
                    <tt>
                        rw-------
                    </tt>
                    ).
                    <span class="anchor" id="line-48">
                    </span>
                    <span class="anchor" id="line-49">
                    </span>
                </p>
                <p class="line862">
                    Edit
                    <tt>
                        /etc/nsswitch.conf
                    </tt>
                    to use add LDAP to the services you want to have enabled (be careful to put LDAP *after* "files").
                    <span class="anchor" id="line-50">
                    </span>
                    <span class="anchor" id="line-51">
                    </span>
                    <span class="anchor" id="line-52">
                    </span>
                    <span class="anchor" id="line-53">
                    </span>
                    <span class="anchor" id="line-54">
                    </span>
                    <span class="anchor" id="line-55">
                    </span>
                    <span class="anchor" id="line-56">
                    </span>
                    <span class="anchor" id="line-57">
                    </span>
                    <span class="anchor" id="line-58">
                    </span>
                    <span class="anchor" id="line-59">
                    </span>
                    <span class="anchor" id="line-60">
                    </span>
                    <span class="anchor" id="line-61">
                    </span>
                    <span class="anchor" id="line-62">
                    </span>
                    <span class="anchor" id="line-63">
                    </span>
                    <span class="anchor" id="line-64">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-3"></span>  passwd:         files ldap
<span class="anchor" id="line-2-1"></span>  group:          files ldap
<span class="anchor" id="line-3-1"></span>  shadow:         files ldap
<span class="anchor" id="line-4-1"></span>
<span class="anchor" id="line-5-1"></span>  hosts:          files dns ldap
<span class="anchor" id="line-6"></span>  networks:       files ldap
<span class="anchor" id="line-7"></span>
<span class="anchor" id="line-8"></span>  protocols:      db files
<span class="anchor" id="line-9"></span>  services:       db files
<span class="anchor" id="line-10"></span>  ethers:         db files
<span class="anchor" id="line-11"></span>  rpc:            db files
<span class="anchor" id="line-12"></span>
<span class="anchor" id="line-13"></span>  netgroup:       nis</pre>
                <span class="anchor" id="line-65">
                </span>
                <span class="anchor" id="line-66">
                </span>
                <p class="line867">
                </p>
                <h2 id="NSS_Setup_with_libnss-ldapd">
                    NSS Setup with libnss-ldapd
                </h2>
                <span class="anchor" id="line-67">
                </span>
                <span class="anchor" id="line-68">
                </span>
                <p class="line862">
                    An alternative is to use
                    <tt>
                        libnss-ldapd
                    </tt>
                    . This software has been developed to fix some of the shortcomings of
                    <tt>
                        libnss-ldap
                    </tt>
                    , see the
                    <span class="anchor" id="line-69">
                    </span>
                    <a class="http" href="http://arthurdejong.org/nss-ldapd/">
                        nss-ldapd homepage
                    </a>
                    for more details.
                    <span class="anchor" id="line-70">
                    </span>
                    Install the package with:
                    <span class="anchor" id="line-71">
                    </span>
                    <span class="anchor" id="line-72">
                    </span>
                    <span class="anchor" id="line-73">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-4"></span>  # apt-get install libnss-ldapd</pre>
                <span class="anchor" id="line-74">
                </span>
                <span class="anchor" id="line-75">
                </span>
                <p class="line874">
                    Most of the configuration for common setups is performed during installation. The following questions are generally asked:
                    <span class="anchor" id="line-76">
                    </span>
                    <span class="anchor" id="line-77">
                    </span>
                </p>
                <ul>
                    <li>
                        <p class="line862">
                            the URI of the LDAP server - you should specify
                            <tt>
                                ldap://10.0.0.1
                            </tt>
                            or whatever the IP address of your LDAP server is (it's better to avoid host names because of potential problems with DNS or other NSS modules)
                            <span class="anchor" id="line-78">
                            </span>
                        </p>
                    </li>
                    <li>
                        the base DN of your LDAP database
                        <span class="anchor" id="line-79">
                        </span>
                    </li>
                    <li>
                        (optional) name and credentials to use to bind to the LDAP database
                        <span class="anchor" id="line-80">
                        </span>
                    </li>
                    <li>
                        <p class="line862">
                            for which services to enable
                            <tt>
                                libnss-ldapd
                            </tt>
                            (you should probably select passwd, shadow and group and maybe others if you need them)
                            <span class="anchor" id="line-81">
                            </span>
                            <span class="anchor" id="line-82">
                            </span>
                        </p>
                    </li>
                </ul>
                <p class="line867">
                    <tt>
                        libnss-ldapd
                    </tt>
                    provides reasonable defaults for most values (looking at environment and possibly existing configurations). This should be enough to enable NSS lookups through LDAP in most common cases.
                    <span class="anchor" id="line-83">
                    </span>
                    <span class="anchor" id="line-84">
                    </span>
                </p>
                <p class="line862">
                    If you have a more unusual setup or require more configuration (e.g. SSL/TLS certificates, SASL/Kerberos configuration, etc) see the
                    <a class="interwiki" href="http://manpages.debian.org/man/5/nslcd.conf" title="DebianMan">
                        nslcd.conf
                    </a>
                    manual page and documentation in
                    <tt>
                        /usr/share/doc/libnss-ldapd
                    </tt>
                    .
                    <span class="anchor" id="line-85">
                    </span>
                    <span class="anchor" id="line-86">
                    </span>
                </p>
                <p class="line862">
                    The configuration file can be found at
                    <tt>
                        /etc/nslcd.conf
                    </tt>
                    .
                    <tt>
                        nslcd
                    </tt>
                    should be restarted if any changes are made to it.
                    <span class="anchor" id="line-87">
                    </span>
                    <span class="anchor" id="line-88">
                    </span>
                </p>
                <p class="line867">
                </p>
                <h2 id="Verify_that_NSS_is_operational">
                    Verify that NSS is operational
                </h2>
                <span class="anchor" id="line-89">
                </span>
                <span class="anchor" id="line-90">
                </span>
                <p class="line862">
                    Check that NSS is seeing things from LDAP using
                    <tt>
                        getent
                    </tt>
                    :
                    <span class="anchor" id="line-91">
                    </span>
                    <span class="anchor" id="line-92">
                    </span>
                    <span class="anchor" id="line-93">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-5"></span>  # getent passwd</pre>
                <span class="anchor" id="line-94">
                </span>
                <p class="line862">
                    should show you accounts from LDAP that are not in the
                    <tt>
                        /etc/passwd
                    </tt>
                    file.
                    <span class="anchor" id="line-95">
                    </span>
                    Similar tests can be done with the group, shadow and other in
                    <tt>
                        /etc/nsswitch.conf
                    </tt>
                    configured databases.
                    <span class="anchor" id="line-96">
                    </span>
                    <span class="anchor" id="line-97">
                    </span>
                </p>
                <p class="line874">
                    Be sure to also run some tests as non-root users. Also try rebooting to see if NSS lookups are performed correctly during boot.
                    <span class="anchor" id="line-98">
                    </span>
                    <span class="anchor" id="line-99">
                    </span>
                </p>
                <p class="line862">
                    Note that
                    <tt>
                        getent&nbsp;shadow
                    </tt>
                    should only return data for root users. Also, passwords are generally not returned unless the LDAP server has been configured to return this data and are in a supported format. If
                    <tt>
                        pam_ldap
                    </tt>
                    is used (see
                    <a href="/LDAP/PAM">
                        LDAP/PAM
                    </a>
                    ) it is not needed to expose passwords from the LDAP server.
                    <span class="anchor" id="line-100">
                    </span>
                    <span class="anchor" id="line-101">
                    </span>
                </p>
                <p class="line862">
                    When using the
                    <tt>
                        libnss-ldapd
                    </tt>
                    package debugging can be done by starting
                    <tt>
                        nslcd
                    </tt>
                    (the connection daemon) in debugging mode (remember to stop nscd when debugging):
                    <span class="anchor" id="line-102">
                    </span>
                    <span class="anchor" id="line-103">
                    </span>
                    <span class="anchor" id="line-104">
                    </span>
                    <span class="anchor" id="line-105">
                    </span>
                    <span class="anchor" id="line-106">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-6"></span>  # /etc/init.d/nscd stop
<span class="anchor" id="line-2-2"></span>  # /etc/init.d/nslcd stop
<span class="anchor" id="line-3-2"></span>  # nslcd -d</pre>
                <span class="anchor" id="line-107">
                </span>
                <span class="anchor" id="line-108">
                </span>
                <p class="line862">
                    Further debugging can be done with the
                    <tt>
                        ldapsearch
                    </tt>
                    utility from the
                    <tt>
                        ldap-utils
                    </tt>
                    package. You can search for all the information that is available for a single user:
                    <span class="anchor" id="line-109">
                    </span>
                    <span class="anchor" id="line-110">
                    </span>
                    <span class="anchor" id="line-111">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-7"></span>  % ldapsearch -h &lt;ldapserver&gt; -b dc=&lt;your&gt;,dc=&lt;domain&gt; -x uid=&lt;username&gt;</pre>
                <span class="anchor" id="line-112">
                </span>
                <p class="line862">
                    Specify the
                    <tt>
                        -D
                    </tt>
                    and
                    <tt>
                        -W
                    </tt>
                    options to log in if the
                    <tt>
                        binddn
                    </tt>
                    or
                    <tt>
                        rootbinddn
                    </tt>
                    options are used.
                    <span class="anchor" id="line-113">
                    </span>
                    <span class="anchor" id="line-114">
                    </span>
                </p>
                <p class="line867">
                </p>
                <h2 id="Offline_caching_of_NSS_with_nscd">
                    Offline caching of NSS with nscd
                </h2>
                <span class="anchor" id="line-115">
                </span>
                <span class="anchor" id="line-116">
                </span>
                <p class="line874">
                    While continuous LDAP connectivity can be assumed for workstations and servers
                    <span class="anchor" id="line-117">
                    </span>
                    in a LAN, laptop users often do not have network connectivity. From a system
                    <span class="anchor" id="line-118">
                    </span>
                    administrators point of view it is tempting to create local users on the laptop
                    <span class="anchor" id="line-119">
                    </span>
                    but this causes trouble when these laptops have to access domain resources like
                    <span class="anchor" id="line-120">
                    </span>
                    network shares (NFS, sshfs, Samba, etc.) back in the office (with a stable
                    <span class="anchor" id="line-121">
                    </span>
                    network connection). Many of these network shares rely on a central name
                    <span class="anchor" id="line-122">
                    </span>
                    service database like LDAP because of user and group information and
                    <span class="anchor" id="line-123">
                    </span>
                    permissions on the share.
                    <span class="anchor" id="line-124">
                    </span>
                    <span class="anchor" id="line-125">
                    </span>
                </p>
                <p class="line874">
                    NSCD is often used to cache NSS information, so that the LDAP server does not
                    <span class="anchor" id="line-126">
                    </span>
                    have to be queried for every request (which has also an impact on the speed of
                    <span class="anchor" id="line-127">
                    </span>
                    the answer). NSCD can also be used to serve these requests while there is no
                    <span class="anchor" id="line-128">
                    </span>
                    network connectivity. In short: NSCD is configured to cache the information
                    <span class="anchor" id="line-129">
                    </span>
                    much longer than the default values from Debian (Lenny)
                    <span class="anchor" id="line-130">
                    </span>
                    <span class="anchor" id="line-131">
                    </span>
                </p>
                <p class="line867">
                    <em>
                        Recipe:
                    </em>
                    <span class="anchor" id="line-132">
                    </span>
                    <span class="anchor" id="line-133">
                    </span>
                </p>
                <p class="line862">
                    NSCD has a configuration file
                    <tt>
                        /etc/nscd.conf
                    </tt>
                    <span class="anchor" id="line-134">
                    </span>
                    <span class="anchor" id="line-135">
                    </span>
                </p>
                <p class="line874">
                    There are two configuration options which have to be altered in order to use
                    <span class="anchor" id="line-136">
                    </span>
                    the pseudo-offline capability:
                    <span class="anchor" id="line-137">
                    </span>
                    <span class="anchor" id="line-138">
                    </span>
                </p>
                <p class="line867">
                    <span class="anchor" id="line-139">
                    </span>
                    <span class="anchor" id="line-140">
                    </span>
                    <span class="anchor" id="line-141">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-8"></span>reload-count            unlimited
<span class="anchor" id="line-2-3"></span>positive-time-to-live   &lt;service&gt;          #number of second</pre>
                <span class="anchor" id="line-142">
                </span>
                <span class="anchor" id="line-143">
                </span>
                <p class="line874">
                    The positive-time-to-live has to be configured for at least the passwd and
                    <span class="anchor" id="line-144">
                    </span>
                    group service. To cache user and group information for 30 days, you would use:
                    <span class="anchor" id="line-145">
                    </span>
                    <span class="anchor" id="line-146">
                    </span>
                </p>
                <p class="line867">
                    <span class="anchor" id="line-147">
                    </span>
                    <span class="anchor" id="line-148">
                    </span>
                    <span class="anchor" id="line-149">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-9"></span>positive-time-to-live   passwd          2592000
<span class="anchor" id="line-2-4"></span>positive-time-to-live   group           2592000</pre>
                <span class="anchor" id="line-150">
                </span>
                <span class="anchor" id="line-151">
                </span>
                <p class="line867">
                    <em>
                        Caveats:
                    </em>
                    <span class="anchor" id="line-152">
                    </span>
                    <span class="anchor" id="line-153">
                    </span>
                </p>
                <p class="line874">
                    When configured for offline mode, NSCS's NSS information is not updated for a
                    <span class="anchor" id="line-154">
                    </span>
                    long period of time. This can be troublesome depending on the time-to-live
                    <span class="anchor" id="line-155">
                    </span>
                    setting, because changes in the LDAP database are not known to the system
                    <span class="anchor" id="line-156">
                    </span>
                    because it uses the cached information. For now, I have only one workaround
                    <span class="anchor" id="line-157">
                    </span>
                    with which I am not too happy: manually cleaning the cache when online again
                    <span class="anchor" id="line-158">
                    </span>
                    with:
                    <span class="anchor" id="line-159">
                    </span>
                    <span class="anchor" id="line-160">
                    </span>
                </p>
                <p class="line867">
                    <span class="anchor" id="line-161">
                    </span>
                    <span class="anchor" id="line-162">
                    </span>
                    <span class="anchor" id="line-163">
                    </span>
                </p>
                <pre><span class="anchor" id="line-1-10"></span># nscd -i passwd
<span class="anchor" id="line-2-5"></span># nscd -i group</pre>
                <span class="anchor" id="line-164">
                </span>
                <span class="anchor" id="line-165">
                </span>
                <p class="line874">
                    I guess this could be automated in some way (when the LDAP server is reachable
                    <span class="anchor" id="line-166">
                    </span>
                    again) but I am not sure if this is the right way
                    <span class="anchor" id="line-167">
                    </span>
                    <span class="anchor" id="line-168">
                    </span>
                </p>
                <p class="line867">
                    <em>
                        Other possibilities:
                    </em>
                    <span class="anchor" id="line-169">
                    </span>
                    <span class="anchor" id="line-170">
                    </span>
                </p>
                <ul>
                    <li>
                        nss-updatedb
                        <span class="anchor" id="line-171">
                        </span>
                    </li>
                    <li>
                        sss
                        <span class="anchor" id="line-172">
                        </span>
                        <span class="anchor" id="line-173">
                        </span>
                    </li>
                </ul>
                <p class="line862">
                    See
                    <a class="http" href="http://people.skolelinux.org/pere/blog/Caching_password__user_and_group_on_a_roaming_Debian_laptop.html">
                        Petter Reinholdtsens Blog
                    </a>
                    on caching password, user and group on a roaming Debian laptop for more information.
                    <span class="anchor" id="line-174">
                    </span>
                    <span class="anchor" id="line-175">
                    </span>
                </p>
                <p class="line867">
                    <strong>
                        Hint
                    </strong>
                    : PAM can also be configured for offline caching of credentials, see
                    <a href="/LDAP/PAM">
                        LDAP/PAM
                    </a>
                    <span class="anchor" id="line-176">
                    </span>
                    <span class="anchor" id="bottom">
                    </span>
                </p>
            </div>
            <div id="pagebottom">
            </div>
        </div>
        <div id="footer">
            <p class="info" dir="ltr" id="pageinfo" lang="en">
                LDAP/NSS  (last edited 2015-12-29 12:37:16 by
                <span title="FelixWinterhalter">
                    <a class="nonexistent" href="/FelixWinterhalter" title="FelixWinterhalter">
                        ?
                    </a>
                    FelixWinterhalter
                </span>
                )
            </p>
            <ul id="credits">
                <li>
                    <a href="https://moinmo.in/" title="This site uses the MoinMoin Wiki software.">
                        MoinMoin Powered
                    </a>
                </li>
                <li>
                    <a href="https://moinmo.in/Python" title="MoinMoin is written in Python.">
                        Python Powered
                    </a>
                </li>
                <li>
                    Debian Wiki
                    <a href="/Teams/DebianWiki">
                        team
                    </a>
                    ,
                    <a href="https://bugs.debian.org/wiki.debian.org">
                        bugs
                    </a>
                    and
                    <a href="https://git.debian.org/?p=collab-maint/wiki.debian.org.git;a=summary">
                        config
                    </a>
                    available.
                </li>
                <li>
                    Hosting provided by
                    <a href="https://www.dg-i.net/">
                        Dembach Goo Informatik GmbH &amp; Co KG
                    </a>
                </li>
            </ul>
        </div>
        <div>
            <a href="https://demo.qkseo.in/profile.php?id=941042">
                [original]
            </a>
        </div>
    </body>
</html>

Latest requests

# Url Url Source Date
1 http://search.osakos.com/cache.php… 2025-01-14 10:37:26
2 https://objectstorage.ap-tokyo-1.o… 2025-01-14 10:37:23
3 https://www.youtube.com/watch?app=… 2025-01-14 10:37:21
4 https://www.shkoh.com.sg/incorpora… 2025-01-14 10:37:19
5 https://ppcservice70470.blogdon.ne… 2025-01-14 10:37:17
6 https://thebolditalic.com/?gi=4435… 2025-01-14 10:37:14
7 https://www.lasallesancristobal.ed… 2025-01-14 10:37:14
8 https://thebolditalic.com/?gi=d264… 2025-01-14 10:37:14
9 https://agoiare.dlbookit.se/(S(yxi… 2025-01-14 10:37:13
10 https://thebolditalic.com/?gi=6d41… 2025-01-14 10:37:13
11 https://chinavisa4.netlify.app/res… 2025-01-14 10:37:10
12 https://agoiare.dlbookit.se/(S(aqi… 2025-01-14 10:37:09
13 https://boka.agoiare.se/(S(och13uz… 2025-01-14 10:37:08
14 https://www.youtube.com/supported_… 2025-01-14 10:37:08
15 https://www.google.vu/maps?ucbcb=1 2025-01-14 10:37:08
16 https://thebolditalic.com/?gi=8162… 2025-01-14 10:37:08
17 https://chinavisa3.s3.us-west-004.… 2025-01-14 10:37:07
18 https://www.btrcdn.com/ 2025-01-14 10:37:07
19 https://thebolditalic.com/?gi=5f70… 2025-01-14 10:37:06
20 https://thebolditalic.com/?gi=8eb8… 2025-01-14 10:37:06