Date: Mon, 15 Jul 2013 21:35:22 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <51E44EFA.2090207@rlwinm.de> In-Reply-To: <1373916303.17449.140661255966229.44609E69@webmail.messagingengine.com> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de> <1373916303.17449.140661255966229.44609E69@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15.07.2013 21:25, Mark Felder wrote:> On Mon, Jul 15, 2013, at 14:19, Jan Bramkamp wrote: >> >> More than that. In my opinion it should be updated by replacing nss_ldap >> and pam_ldap with nss-pam-ldapd which splits the job of both into a >> shared daemon talking to the LDAP server and small stubs linked into the >> NSS / PAM using process talking to the local daemon. This allows useable >> timeout handling and client certificates with save permissions. >> > > And if the daemon ever crashes, we can't login to our customer servers > (assuming they nuked our local account because they have root access). > > That's the one issue I have with that daemon and why we haven't migrated > to it. We should re-evaluate it, though. In that case run nslcd in foreground with some kind of watchdog. Their are several examples of this in the ports tree e.g. daemontools. So far i never ran into this problem because nslcd on any of my production systems. I prefer nss-pam-ldapd over nss_ldap + pam_ldap because: - It doesn't link libldap, liblber, libsasl, libssl etc. into nearly every process. - It keeps the LDAP connection open reducing the latency (important with DHE-RSA ciphersuites). - It handles timeouts in one place instead of timing out in every process. This doesn't change the fact that the nslcd daemon is a single point of failure for all LDAP accesses over NSS and PAM.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E44EFA.2090207>