[plug] 2 LDAP issues

[Craig Ringer]

> Oh, problem one still exists. I don't want to have to change
> /etc/pam.d/su etc because I don't think I should need to, I want
> nsswitch to take care of it all for me - I think that should be
> possible. No?

I seem to remember that su misbehaves somehow when using libnss_ldap and 
pam_unix, I had to use libpam_ldap . I don't know why, most other stuff 
doesn't care.

Oh, when checking about user accounts and ldap config, a really handy 
tool is 'getent'. Instead of using ldapsearch and grep /etc/passwd to 
get info about your LDAP user status, try, say, 'getent passwd nima'. 
You should get a line in /etc/passwd format, but it'll be obtained via 
ldap, passwd, nis, or whatever depending on your configuration and 
search order in /etc/nsswitch.conf . So it's testing the same mechanism 
that your apps authenticate with. Oh, and if 'getent shadow' doesn't 
have the password column blanked, then your LDAP security config needs 
some quick work...

Craig Ringer