From owner-freebsd-questions@FreeBSD.ORG Fri Jul 8 16:57:06 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 211211065670 for ; Fri, 8 Jul 2011 16:57:06 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id 8917D8FC14 for ; Fri, 8 Jul 2011 16:57:05 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email2.allantgroup.com (8.14.4/8.14.4) with ESMTP id p68Gv2xh041757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Jul 2011 11:57:03 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.5/8.14.5) with ESMTP id p68Gv2kR070280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Jul 2011 11:57:02 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.5/8.14.5/Submit) id p68Gv2hi070279; Fri, 8 Jul 2011 11:57:02 -0500 (CDT) (envelope-from dan) Date: Fri, 8 Jul 2011 11:57:02 -0500 From: Dan Nelson To: Frank Bonnet Message-ID: <20110708165701.GD6611@dan.emsphone.com> References: <4E1713AF.7000806@esiee.fr> <4E172DE2.1000308@esiee.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E172DE2.1000308@esiee.fr> X-OS: FreeBSD 8.2-STABLE User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.97 at email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (email2.allantgroup.com [199.67.51.78]); Fri, 08 Jul 2011 11:57:03 -0500 (CDT) X-Scanned-By: MIMEDefang 2.68 on 199.67.51.78 Cc: freebsd-questions@freebsd.org Subject: Re: import users from LDAP to local password file (pwd.db) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 16:57:06 -0000 In the last episode (Jul 08), Frank Bonnet said: > On 07/08/2011 05:43 PM, Moises Castellanos wrote: > > On Fri, Jul 8, 2011 at 9:56 AM, Frank Bonnet wrote: > >> I need to import the necessary users's data from an OpenLDAP directory > >> server to put them in the local password files , anyone has done this > >> before ? > >> > >> The machine use nss_ldap and pam_ldap to authenticate users but for > >> robustness during the holidays I would like to have a local password > >> file on this machine which is our mailhub. > >> > >> The OpenLDAP server runs on another machine and if it fails during > >> holidays I want my mailhub to be standalone for authentication in order > >> to let email service running even the directory server crash. > > > You can try with getent(1) passwd and see if you can work with the > > output > > getent does not show the encrypted password field LDAP servers usually don't allow clients to see the raw password hash. Authentication checks are done by binding as the requested user, so the calling app doesn't have a chance to grab the hash and do an offline brute-force attack on it. To ensure LDAP availability, the usual thing to do is set up multiple servers with LDAP replication between them, and configure your client's ldap.conf to use all of them (or use carp or some other IP management app to provide a single "always-up" IP address). -- Dan Nelson dnelson@allantgroup.com