Tony's ramblings on Open Source Software, Life and Photography


LDAP Authentication and NSCD

I don't know how I didn't run into this before, but I finally stumbled on a program that just made my life a ton better.

We run OpenLDAP for network authentication, among other things. Periodically, the Name Service Caching Daemon (NSCD) will introduce a bug that causes accounts stored in LDAP to not work properly. In the most recent iteration of Ubuntu Precise 12.04.2, the bug is that "getent passwd" will list all your users, but trying to su to them will tell you they don't exist.

All your problems can be fixed by simply installing "unscd" instead of "nscd". "unscd" or "Micro Name Service Caching Daemon" (the U stands for the micro symbol) is a direct replacement for nscd that doesn't appear to have the problems of nscd.

So if you're running LDAP on your network, or heck even if you aren't, simply install unscd. When you do, it should automatically remove nscd as you can't run them both at the same time.


LDAP Authentication Breaks on Ubuntu Distribution Upgrade

I've been fighting with bug #1000205 in the latest LTS Ubuntu 12.04 "Precise". Every time I've done a do-release-upgrade on a server, when it reboots it breaks logins. All my LDAP users are no longer available.

My Puppet configurations deploy the proper config file for nslcd, so when this happens I just have to wait for the server to get the correct config file from Puppet, then manually reboot the box. Unfortunately this requires physical access to the server, and I have servers in offsite locations as well.

I finally figured out an easy fix that I can pre-deploy with Puppet. I just wrote a simple script to replace the nslcd.conf file with a known good copy prior to starting the nslcd daemon.

So, here's the basics. I already had the following in my Puppet deployment:

	file {"/etc/nslcd.conf":
		source => "puppet:///modules/ldapclient/nslcd.conf",
		owner => root,
		group => root,
		mode => 644,
		require => Package["ldap-auth-client"],

So I added a second copy of that file on the systems with:

	file {"/etc/nslcd.keep":
		source => "puppet:///modules/ldapclient/nslcd.conf",
		owner => root,
		group => root,
		mode => 644,


Auto Customizing Linux Desktops For Enterprise Deployment

I'm deploying 6 more Linux workstations on my network (8.04 LTS) and decided it would be much easier if I could just run one script on each workstation that would install the additional packages I needed for LDAP authentication, configure PAM and nsswitch.conf automatically and standardize the user's desktop environment with a Firefox icon on the desktop and the Firefox homepage to our Intranet workflow system.

There's probably better ways to do this, but a simple script did it for me. First, I configured one workstation, logged in as a new user and configured their Firefox and desktop the way I wanted.

Next, as root I created a working directory called "add2network" and copied the following into it:

mkdir /root/add2network
cd /root/add2network
cp /etc/nsswitch.conf ./
cp /etc/ldap.conf ./
cp /etc/ldap.secret ./
mkdir pam.d
cp /etc/pam.d/common* ./pam.d/
cp /home/user/Desktop ./
cp -R /home/user/.mozilla ./

Next, I created a new script called "" in the working directory and inserted the following commands into it:

apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db
rm -R /etc/skel/*
cp ./nsswitch.conf /etc/
cp ./pam.d/* /etc/pam.d/
cp ./ldap.* /etc/
chmod 600 /etc/ldap.secret
cp -R ./Desktop /etc/skel/
cp -R ./mozilla /etc/skel/

Next, do the following to make the script executable:

Using OpenLDAP to configure Bind9 DNS Zones

I've recently started migrating much of our network services to OpenLDAP for the backend storage. I've switched completely from NIS authentication to LDAP, and even configured a Samba domain control for the few Windows logins that remain on our network.

For our internal DNS I run Bind9. Bind9 is notoriously hard for the average joe to configure, and to this point I've been using Webmin to manage my DNS entries. That works fine, but Ubuntu doesn't include Webmin packages, so I've been wanting to switch to something else. LDAP for the backend seemed like a perfect match.

At first I investigated using LDAP directly as the backend for DNS. It turns out this is highly experimental, and prevents Bind from doing any caching. The best solution is a package called ldap2dns. With ldap2dns it will automatically generate Bind9 zone files and restart Bind anytime your DNS entries in the LDAP server change.