From owner-freebsd-stable@FreeBSD.ORG Mon Jul 15 19:35:22 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2FE55182 for ; Mon, 15 Jul 2013 19:35:22 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:140:72e1::ac16:e45e]) by mx1.freebsd.org (Postfix) with ESMTP id EC2C134B for ; Mon, 15 Jul 2013 19:35:21 +0000 (UTC) Received: from hexe.rlwinm.de (p4FE67BC6.dip0.t-ipconnect.de [79.230.123.198]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id B6E3D116A1 for ; Mon, 15 Jul 2013 19:31:54 +0000 (UTC) Message-ID: <51E44EFA.2090207@rlwinm.de> Date: Mon, 15 Jul 2013 21:35:22 +0200 From: Jan Bramkamp User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130707 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion References: <51E44B55.6030005@rlwinm.de> <1373916303.17449.140661255966229.44609E69@webmail.messagingengine.com> In-Reply-To: <1373916303.17449.140661255966229.44609E69@webmail.messagingengine.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 19:35:22 -0000 On 15.07.2013 21:25, Mark Felder wrote:> On Mon, Jul 15, 2013, at 14:19, Jan Bramkamp wrote: >> >> More than that. In my opinion it should be updated by replacing nss_ldap >> and pam_ldap with nss-pam-ldapd which splits the job of both into a >> shared daemon talking to the LDAP server and small stubs linked into the >> NSS / PAM using process talking to the local daemon. This allows useable >> timeout handling and client certificates with save permissions. >> > > And if the daemon ever crashes, we can't login to our customer servers > (assuming they nuked our local account because they have root access). > > That's the one issue I have with that daemon and why we haven't migrated > to it. We should re-evaluate it, though. In that case run nslcd in foreground with some kind of watchdog. Their are several examples of this in the ports tree e.g. daemontools. So far i never ran into this problem because nslcd on any of my production systems. I prefer nss-pam-ldapd over nss_ldap + pam_ldap because: - It doesn't link libldap, liblber, libsasl, libssl etc. into nearly every process. - It keeps the LDAP connection open reducing the latency (important with DHE-RSA ciphersuites). - It handles timeouts in one place instead of timing out in every process. This doesn't change the fact that the nslcd daemon is a single point of failure for all LDAP accesses over NSS and PAM.