From owner-freebsd-stable@FreeBSD.ORG Mon Jul 15 19:44:41 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1FEAA789 for ; Mon, 15 Jul 2013 19:44:41 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.netplex.net (mail.netplex.net [204.213.176.9]) by mx1.freebsd.org (Postfix) with ESMTP id D3D8B651 for ; Mon, 15 Jul 2013 19:44:40 +0000 (UTC) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6FJid5w002028; Mon, 15 Jul 2013 15:44:39 -0400 X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net) X-Greylist: Message whitelisted by DRAC access database, not delayed by milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]); Mon, 15 Jul 2013 15:44:39 -0400 (EDT) Date: Mon, 15 Jul 2013 15:44:39 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Jan Bramkamp Subject: Re: LDAP authentication confusion In-Reply-To: <51E44B55.6030005@rlwinm.de> Message-ID: References: <51E44B55.6030005@rlwinm.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Daniel Eischen List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 19:44:41 -0000 On Mon, 15 Jul 2013, Jan Bramkamp wrote: > On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael > Loftis wrote: >> >>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>> your configuration you've exposed I think you're ending up with that >>> behavior and not using pam_ldap at all. Instead the authentication is >>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>> ldap line in nsswitch.conf) >> >> Ok, thanks. But shouldn't the documentation be changed >> to reflect that? > > More than that. In my opinion it should be updated by replacing nss_ldap > and pam_ldap with nss-pam-ldapd which splits the job of both into a > shared daemon talking to the LDAP server and small stubs linked into the > NSS / PAM using process talking to the local daemon. This allows useable > timeout handling and client certificates with save permissions. I tried nss-pam-ldapd and it doesn't work for me. I'm not doing anything strange, as you can see by my configuration. It would try to talk to the LDAP server, but would fail. I'm not sure it was correctly picking up the proxyagent password in my /usr/local/etc/nslcd.conf. It was definitely parsing it though, as that is where the LDAP server is defined. I switched to using pam_ldap and nss_ldap, and it worked without any problem. -- DE