From owner-freebsd-stable@FreeBSD.ORG Sat Mar 4 09:04:22 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C90A16A420 for ; Sat, 4 Mar 2006 09:04:22 +0000 (GMT) (envelope-from frode@nordahl.net) Received: from smtp1.powertech.no (smtp1.powertech.no [195.159.0.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id C23BC43D46 for ; Sat, 4 Mar 2006 09:04:21 +0000 (GMT) (envelope-from frode@nordahl.net) Received: from [192.168.123.190] (ti211110a080-8691.bb.online.no [85.165.97.243]) by smtp1.powertech.no (Postfix) with ESMTP id D3DB47E95; Sat, 4 Mar 2006 10:04:19 +0100 (CET) In-Reply-To: <20060226081431.GA813@dimma.mow.oilspace.com> References: <20060226081431.GA813@dimma.mow.oilspace.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6F9C5982-E3FB-4EC2-9890-D685F2ABCC34@nordahl.net> Content-Transfer-Encoding: 7bit From: Frode Nordahl Date: Sat, 4 Mar 2006 10:04:17 +0100 To: Dmitriy Kirhlarov X-Mailer: Apple Mail (2.746.2) Cc: freebsd-stable@freebsd.org Subject: Re: nss_ldap problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 09:04:22 -0000 On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote: > I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0 > I have a problem -- login success only if {CRYPT} mechanism used in > ldap database. Other services, authenticated in ldap, work fine > (pam_ldap, apache auth for example). pam_ldap authenticates the user by attempting to bind to the LDAP server using the users credentials. So what type of encryption used should not make any difference. However, I have observed configurations on Linux where authentication is done through nss_ldap instead of pam_ldap. What actually happends then is that nss_ldap fetches the password from the database and pam_unix does the authentiaction work. If this is the case in your setup, the encryption chosen would matter as pam_unix probably does not support all the modes that OpenLDAP has. You could try to remove pam_ldap from your setup, and leave nss_ldap active and see if you still can log in? What does your ACL's look like? I have this as one of my first ACL's: access to attr=userPassword by self write by anonymous auth by * none This makes sure that no one can read the password from the directory, but allows a user to change his own password, and to authenticate by binding to the LDAP server. [snip] > /etc/nsswitch.conf > group: ldap files > hosts: files dns > networks: files > passwd: ldap files > shells: files > imap: ldap Why do you have "ldap" first? I would use "files ldap" in any case so local changes can override the directory. Frode Nordahl frode@nordahl.net