From owner-freebsd-stable@FreeBSD.ORG  Mon Jul 15 19:44:41 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 1FEAA789
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:44:41 +0000 (UTC)
 (envelope-from deischen@freebsd.org)
Received: from mail.netplex.net (mail.netplex.net [204.213.176.9])
 by mx1.freebsd.org (Postfix) with ESMTP id D3D8B651
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:44:40 +0000 (UTC)
Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11])
 by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6FJid5w002028;
 Mon, 15 Jul 2013 15:44:39 -0400
X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net)
X-Greylist: Message whitelisted by DRAC access database, not delayed by
 milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]);
 Mon, 15 Jul 2013 15:44:39 -0400 (EDT)
Date: Mon, 15 Jul 2013 15:44:39 -0400 (EDT)
From: Daniel Eischen <deischen@freebsd.org>
X-X-Sender: eischen@sea.ntplx.net
To: Jan Bramkamp <crest@rlwinm.de>
Subject: Re: LDAP authentication confusion
In-Reply-To: <51E44B55.6030005@rlwinm.de>
Message-ID: <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net>
References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net>
 <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
 <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Daniel Eischen <deischen@freebsd.org>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 19:44:41 -0000

On Mon, 15 Jul 2013, Jan Bramkamp wrote:

> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
> Loftis wrote:
>>
>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>> your configuration you've exposed I think you're ending up with that
>>> behavior and not using pam_ldap at all.  Instead the authentication is
>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>> ldap line in nsswitch.conf)
>>
>> Ok, thanks.  But shouldn't the documentation be changed
>> to reflect that?
>
> More than that. In my opinion it should be updated by replacing nss_ldap
> and pam_ldap with nss-pam-ldapd which splits the job of both into a
> shared daemon talking to the LDAP server and small stubs linked into the
> NSS / PAM using process talking to the local daemon. This allows useable
> timeout handling and client certificates with save permissions.

I tried nss-pam-ldapd and it doesn't work for me.  I'm not
doing anything strange, as you can see by my configuration.
It would try to talk to the LDAP server, but would fail.
I'm not sure it was correctly picking up the proxyagent
password in my /usr/local/etc/nslcd.conf.  It was definitely
parsing it though, as that is where the LDAP server is
defined.  I switched to using pam_ldap and nss_ldap, and
it worked without any problem.

-- 
DE