nsswitch.conf hosts lookup from ldap on puias6 (RHEL6/CENTOS6) nslcd

We store our host information in ldap. Previously using ldap for host lookups was done by adding the appropriate entries to /etc/ldap.conf and changing nsswitch.conf.

With 6, nss_ldap has been replaced by nslcd, so I needed to change our setup a little.
I put the following into nslcd.conf


uid nslcd
gid ldap
uri ldap://ldap2.example.com
uri ldap://ldap.example.com
base dc=example,dc=com
# this is only host information, no need to use ssl
#ssl start_tls
#tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
base hosts ou=hosts,dc=example,dc=com
scope hosts sub

We use scope hosts sub because we take advantage of the hierarchy of ldap and organise our hosts into different subou's within the hosts ou.

Next update nsswitch.conf to use ldap


passwd: files sss
shadow: files sss
group: files sss

hosts: files ldap dns [NOTFOUND=return]

Next restart nslcd to see the change.


[root@host ~]# getent hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@host ~]# service nslcd start
Starting nslcd: [ OK ]
[root@host ~]# getent hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.200 fs.example.com fs
172.16.1.181 ldap ldap.example.com
172.16.1.12 ldap2 ldap2.example.com

The ldap entry (ldif) for one of these hosts would look like this:


# fs.example.com, hardware, hosts, example.com
dn: cn=fs.example.com,ou=hardware,ou=hosts,dc=example,dc=com
objectClass: top
objectClass: iphost
cn: fs.example.com
cn: fs
ipHostNumber: 172.16.1.200

I configure nsswitch.conf with augeas, the augtool lines to do this and the corresponding puppet config are below.


augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[1] files
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[2] ldap
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/service[3] dns
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status NOTFOUND
augtool> set /files/etc/nsswitch.conf/*[self::database = 'hosts']/reaction/status/action return

puppet


augeas {"nsswitch ldap first":
context => "/files/etc/nsswitch.conf",
changes => [
"set *[self::database = 'hosts']/service[1] files",
"set *[self::database = 'hosts']/service[2] ldap",
"set *[self::database = 'hosts']/service[3] dns",
"set *[self::database = 'hosts']/reaction/status NOTFOUND",
"set *[self::database = 'hosts']/reaction/status/action return"
],
notify => Service["nslcd"]
}