From owner-freebsd-stable@FreeBSD.ORG  Mon Jul 15 19:19:54 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id CA253B87
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:19:54 +0000 (UTC)
 (envelope-from crest@rlwinm.de)
Received: from mail.rlwinm.de (mail.rlwinm.de
 [IPv6:2a01:4f8:140:72e1::ac16:e45e])
 by mx1.freebsd.org (Postfix) with ESMTP id 93DB0273
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:19:54 +0000 (UTC)
Received: from hexe.rlwinm.de (p4FE67BC6.dip0.t-ipconnect.de [79.230.123.198])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.rlwinm.de (Postfix) with ESMTPSA id D63E61169A
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:16:20 +0000 (UTC)
Message-ID: <51E44B55.6030005@rlwinm.de>
Date: Mon, 15 Jul 2013 21:19:49 +0200
From: Jan Bramkamp <crest@rlwinm.de>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130707 Thunderbird/17.0.7
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Subject: Re: LDAP authentication confusion
References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net>
 <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
 <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
In-Reply-To: <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 19:19:54 -0000

On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
Loftis wrote:
>
>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>> your configuration you've exposed I think you're ending up with that
>> behavior and not using pam_ldap at all.  Instead the authentication is
>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>> ldap line in nsswitch.conf)
>
> Ok, thanks.  But shouldn't the documentation be changed
> to reflect that?

More than that. In my opinion it should be updated by replacing nss_ldap
and pam_ldap with nss-pam-ldapd which splits the job of both into a
shared daemon talking to the LDAP server and small stubs linked into the
NSS / PAM using process talking to the local daemon. This allows useable
timeout handling and client certificates with save permissions.