I’ve installed nss-pam-ldapd on an Alpine Linux server, edited nslcd.conf to use an ldap server I have running elsewhere, and added “UsePAM yes” to /etc/ssh/sshd_config. I have two local accounts, root and admin, and an ldap account, ldapuser
- I can ssh into the server as admin or ldapuser
- As admin I can run sudo -u ldapuser echo hello
- As admin I can’t run su ldapuser
- As root I can su into admin and ldapuser
- As ldapuser I can su into root and admin
In general everything seems to work perfectly if the only accounts involved have an entry in /etc/shadow. Research on the internet seems to suggest I can fix any login problems with the /etc/pam.d config files but they don’t seem to do anything for su. As an experiment I commented out “auth sufficient pam_rootok.so” from /etc/pam.d/su and root is still able to su as any user without a password.
