From owner-freebsd-hackers@freebsd.org  Tue Nov  8 12:30:52 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47E83C35724
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Tue,  8 Nov 2016 12:30:52 +0000 (UTC) (envelope-from crest@rlwinm.de)
Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 14427397
 for <freebsd-hackers@freebsd.org>; Tue,  8 Nov 2016 12:30:52 +0000 (UTC)
 (envelope-from crest@rlwinm.de)
Received: from vader9.bultmann.eu (unknown [87.253.189.132])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by smtp.rlwinm.de (Postfix) with ESMTPSA id 3A75D1056B
 for <freebsd-hackers@freebsd.org>; Tue,  8 Nov 2016 13:30:50 +0100 (CET)
Subject: Re: nss_ldap seems to not work
To: freebsd-hackers@freebsd.org
References: <1644757548.20161108110056@mail.ru>
From: Jan Bramkamp <crest@rlwinm.de>
Message-ID: <2eac83ec-c5d6-6167-2921-66e7c0d34476@rlwinm.de>
Date: Tue, 8 Nov 2016 13:30:49 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0)
 Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <1644757548.20161108110056@mail.ru>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 12:30:52 -0000

On 08/11/2016 09:00, Anthony Pankov via freebsd-hackers wrote:
> Greetings.
>
> nss_ldap seems to not work correctly at least at FreeBSD 10.3.

The original PADL nss_ldap and pam_ldap modules have been effectively 
unmaintained by the upstream for years. They inject a lot of code into 
each process using either NSS or PAM. Do yourself a favor and move on to 
net/nss-pam-ldapd(-sasl) which is maintained and moved most of the logic 
and all of network communication to a dedicated daemon process. See 
https://arthurdejong.org/nss-pam-ldapd/design for more details.

> Two  configurations
> 1. FreeBSD 9.2
> 2. FreeBSD 10.3
> sharing  nss_ldap  settings  and  using  the  same  LDAP  tree (DIT) produce
> different results.
>
> At    FreeBSD   10.3   nss_ldap  can't  enumerate  supplementary  user
> groups.
>
> Example:
> FreeBSD 9.2:
>                 # id user1
>                  ... groups=basegroup,gr1,gr2,gr3
> FreeBSD 10.3:
>                 # id user1
>                  ... groups=basegroup
>
> The  effect is inadequate result of initgroups() calling which lead to
> various side effects with permissions.
>
> P.S.  Interesting  fact.  At  FreeBSD  10.3 pw utility produce correct
> result:
>         #pw usershow user1
>         ... groups=basegroup,gr1,gr2,gr3
>

I suspect that there is a regression in the old nss_ldap module. At this 
time I would be surprised if anyone wanted to touch the old code with a 
ten foot pole.

-- Jan Bramkamp