Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Jul 2013 21:19:49 +0200
From:      Jan Bramkamp <crest@rlwinm.de>
To:        freebsd-stable@freebsd.org
Subject:   Re: LDAP authentication confusion
Message-ID:  <51E44B55.6030005@rlwinm.de>
In-Reply-To: <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
References:  <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
Loftis wrote:
>
>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>> your configuration you've exposed I think you're ending up with that
>> behavior and not using pam_ldap at all.  Instead the authentication is
>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>> ldap line in nsswitch.conf)
>
> Ok, thanks.  But shouldn't the documentation be changed
> to reflect that?

More than that. In my opinion it should be updated by replacing nss_ldap
and pam_ldap with nss-pam-ldapd which splits the job of both into a
shared daemon talking to the LDAP server and small stubs linked into the
NSS / PAM using process talking to the local daemon. This allows useable
timeout handling and client certificates with save permissions.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E44B55.6030005>