LDAP Client NSS Configuration

the nss-ldap module allows ldap users to appear correctly when doing normal system tasks, like an ls -l.

Again, the configuration for nss-ldap is usually in /etc/ldap.conf, but depending on distro, may appear in /etc/libnss-ldap.conf.

Config File Contents

  • standard ldap connection info...
uri ldaps://ldap.example.com
base dc=example,dc=com
ldap_version 3
scope one
timelimit 30
bind_timelimit 30

  • NSS-specific info...
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group  ou=Groups,dc=example,dc=com?one

There are several other nss_base_* options, but they have been omitted, since we're not using them.

The above lines tell the nss-ldap module where in the LDAP directory it should look to find information from the normal unix facilities like /etc/passwd, /etc/shadow, and /etc/group

To increase performance, you may also wish to run nscd, the name service caching daemon. This will decrease the number of queries to the ldap server, and increase the responsiveness of the client.

(yes, nss configuration is much simpler than pam)

Unless otherwise noted, all content is copyright Marc Dougherty and is subject to a Creative Commons license.