nsswitch.conf hosts lookup from ldap on puias6 (RHEL6/CENTOS6) nslcd

We store our host information in ldap. Previously using ldap for host lookups was done by adding the appropriate entries to /etc/ldap.conf and changing nsswitch.conf.

With 6, nss_ldap has been replaced by nslcd, so I needed to change our setup a little.
I put the following into nslcd.conf


uid nslcd
gid ldap
uri ldap://ldap2.example.com
uri ldap://ldap.example.com
base dc=example,dc=com
# this is only host information, no need to use ssl
#ssl start_tls
#tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
base hosts ou=hosts,dc=example,dc=com
scope hosts sub

We use scope hosts sub because we take advantage of the hierarchy of ldap and organise our hosts into different subou's within the hosts ou.

Next update nsswitch.conf to use ldap


passwd: files sss
shadow: files sss
group: files sss

hosts: files ldap dns [NOTFOUND=return]

Next restart nslcd to see the change.

<br />
[<a href="mailto:root@host">root@host</a> ~]# getent hosts<br />
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4<br />
127.0.0.1       localhost localhost.localdomain localhost6 localhost6.localdomain6<br />
[<a href="mailto:root@host">root@host</a> ~]# service nslcd start<br />
Starting nslcd:                                            [  OK  ]<br />
[<a href="mailto:root@host">root@host</a> ~]# getent hosts<br />
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4<br />
127.0.0.1       localhost localhost.localdomain localhost6 localhost6.localdomain6<br />
172.16.1.200   fs.example.com fs<br />
172.16.1.181   ldap ldap.example.com<br />
172.16.1.12    ldap2 ldap2.example.com<br />

The ldap entry (ldif) for one of these hosts would look like this:


# fs.example.com, hardware, hosts, example.com
dn: cn=fs.example.com,ou=hardware,ou=hosts,dc=example,dc=com
objectClass: top
objectClass: iphost
cn: fs.example.com
cn: fs
ipHostNumber: 172.16.1.200

I configure nsswitch.conf with augeas, the augtool lines to do this and the corresponding puppet config are below.


augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[1] files
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[2] ldap
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[3] dns
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status NOTFOUND
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status/action return

puppet


augeas {"nsswitch ldap first":
context => "/files/etc/nsswitch.conf",
changes => [
"set *[self::database = 'hosts']/service[1] files",
"set *[self::database = 'hosts']/service[2] ldap",
"set *[self::database = 'hosts']/service[3] dns",
"set *[self::database = 'hosts']/reaction/status NOTFOUND",
"set *[self::database = 'hosts']/reaction/status/action return"
],
notify => Service["nslcd"]
}

About the Author...

Slides from LISA 2019 Linux systems troubleshooting #LISA2019 https://t.co/D4dMKflK6R Tue Oct 29 05:59:30 +0000 2019

https://t.co/AGeihMALAv configuring grub2 with EFI Fri Sep 13 05:20:01 +0000 2019

I published a Thing on @thingiverse! https://t.co/IYpRyEb7Hz #thingalert Tue Jul 23 19:27:57 +0000 2019

Nokogiri install on MacOSX https://t.co/v3An0miW9L Fri Jul 12 15:06:49 +0000 2019

HTML email with plain mailer plugin on Jenkins https://t.co/Z6FSDMDjy8 Thu Jul 11 21:07:25 +0000 2019