I was a bit disheartened to see this is an actual bug - be it because of X package or not, of the two workstations at my desk, the fedora13 box has no problems (and uses nscd) and the ubuntu one does.
Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine. Regarding Hark's comment about pam_check_host_attr and pam_check_service_attr (comment #87), I would bet you could solve that another way. Solution I already had in place for another reason entirely was the follows, and works just fine for host-based restrictions:
1) create a group in ldap for the host "hostgrp" - and put the users in that group you want.
2) use pam_succeed_if.so to restrict to the group you want.
In common-auth, before pam_ldap.so, put:
auth requisite pam_succeed_if.so user ingroup hostgrp quiet_success
This will cause pam to only allow someone in group hostgrp to log in. Remove them from hostgrp, they can't log in. That's what you're wanting that nslcd/libnss-ldapd isn't allowing, right? Well, PAM has been around longer than nscd/nslcd anyway ;)
BTW, in case it isn't obvious, pam_succeed_if statements can be stacked - the chain goes one to the next, same as when you're using one mod then another.
I was a bit disheartened to see this is an actual bug - be it because of X package or not, of the two workstations at my desk, the fedora13 box has no problems (and uses nscd) and the ubuntu one does.
Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine. Regarding Hark's comment about pam_check_host_attr and pam_check_ service_ attr (comment #87), I would bet you could solve that another way. Solution I already had in place for another reason entirely was the follows, and works just fine for host-based restrictions:
1) create a group in ldap for the host "hostgrp" - and put the users in that group you want.
2) use pam_succeed_if.so to restrict to the group you want.
In common-auth, before pam_ldap.so, put:
auth requisite pam_succeed_if.so user ingroup hostgrp quiet_success
This will cause pam to only allow someone in group hostgrp to log in. Remove them from hostgrp, they can't log in. That's what you're wanting that nslcd/libnss-ldapd isn't allowing, right? Well, PAM has been around longer than nscd/nslcd anyway ;)
BTW, in case it isn't obvious, pam_succeed_if statements can be stacked - the chain goes one to the next, same as when you're using one mod then another.