Virtualmin GPL, LDAP, and SuExec

Hello! I am having a problem with a fresh install of ubuntu-server 8.04 and Virtualmin configured for LDAP. This is probably not a true Virtualmin problem, more of a system issue, but I’m sure this question can help someone out in the future.

Browsing any website gives a “403 Forbidden” error. As far as I can tell, SuExec is not being executed (nothing in log) because the www-data user is not being recognized as a member of the virtualhost account’s group.

These commands are being performed on the Virtualmin machine:

[code:1]$ getent group | grep www-data

Looks great, right? www-data is a member of "example1" which is a virtual host account I have added. Now check this out:

[code:1]$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Doh! What gives? When looking up www-data by himself, he is not a member of any LDAP groups!

The following command is performed on another LDAP configured ubuntu 8.04 machine on our network, who just happens to have apache2 (which of course runs as www-data)

[code:1]$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(example1)[/code:1]
Can you believe it!? So the LDAP server is configured correctly. The Virtualmin machine is not.

I am lost as to what would cause this. Any ideas?<br><br>Post edited by: sauce, at: 2009/04/18 06:28

aaand fixed. having a working machine to compare conf files to helped a lot.

here is the problem:

$ cat /etc/ldap.conf | grep www-data
nss_initgroups_ignoreusers backup,bin,bind,clamav,daemon,dhcp,dovecot,ftp,games,gnats,irc,klog,libuuid,list,lp,mail,man,mysql,news,ntp,postfix,postgres,proftpd,proxy,root,snmp,sshd,sync,sys,syslog,uucp,www-data
See www-data user on the end there? It was being ignored by NSS. This line is configured by “/etc/init.d/libnss-ldap” and making any changes does not survive a reboot. I’ll have to look at the script some more. At first glance it ignores all UID’s under a certain number. I’ll post back later.

When it comes to fixing this problem I can’t help but think I am going down the wrong track. Simply googling “suexec nss” brings up nada. Am I missing something obvious here? Probably. As a temporary solution to my problems, I have come up with this solution:

/etc/init.d/libnss-ldap runs this script: /usr/sbin/nssldap-update-ignoreusers which adds that line to ldap.conf

I simply edit this file to reflect these changes (in bold):

# Build list of users to ignore based on specified minimum UID users=`cat /etc/passwd | grep -v www-data | awk -F":" '{if ($3 <'$MIN') print $1 ","}' | xargs -i echo -n {}`

I am NOT happy with my temporary solution and I would appreciate anyone’s insight on the matter.