From owner-freebsd-stable@FreeBSD.ORG Mon Jul 15 19:49:52 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 37F0AA35 for ; Mon, 15 Jul 2013 19:49:52 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [46.4.89.243]) by mx1.freebsd.org (Postfix) with ESMTP id EFD206C5 for ; Mon, 15 Jul 2013 19:49:51 +0000 (UTC) Received: from hexe.rlwinm.de (p4FE67BC6.dip0.t-ipconnect.de [79.230.123.198]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 4CF4B116A9 for ; Mon, 15 Jul 2013 19:46:24 +0000 (UTC) Message-ID: <51E45260.3050803@rlwinm.de> Date: Mon, 15 Jul 2013 21:49:52 +0200 From: Jan Bramkamp User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130707 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion References: <51E44B55.6030005@rlwinm.de> In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 19:49:52 -0000 On 15.07.2013 21:44, Daniel Eischen wrote: > On Mon, 15 Jul 2013, Jan Bramkamp wrote: > >> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael >> Loftis wrote: >>> >>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>>> your configuration you've exposed I think you're ending up with that >>>> behavior and not using pam_ldap at all. Instead the authentication is >>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>>> ldap line in nsswitch.conf) >>> >>> Ok, thanks. But shouldn't the documentation be changed >>> to reflect that? >> >> More than that. In my opinion it should be updated by replacing nss_ldap >> and pam_ldap with nss-pam-ldapd which splits the job of both into a >> shared daemon talking to the LDAP server and small stubs linked into the >> NSS / PAM using process talking to the local daemon. This allows useable >> timeout handling and client certificates with save permissions. > > I tried nss-pam-ldapd and it doesn't work for me. I'm not > doing anything strange, as you can see by my configuration. > It would try to talk to the LDAP server, but would fail. > I'm not sure it was correctly picking up the proxyagent > password in my /usr/local/etc/nslcd.conf. It was definitely > parsing it though, as that is where the LDAP server is > defined. I switched to using pam_ldap and nss_ldap, and > it worked without any problem. > This is my basic nscld.conf: uid nslcd gid nslcd # fail over to auth2 if required uri ldap://auth1.example.org uri ldap://auth2.example.org base dc=example,dc=org scope sub base group ou=groups,dc=example,dc=org base passwd ou=users,dc=example,dc=org scope group onelevel scope hosts sub filter group (|(objectClass=posixGroup)(objectClass=posixGroupOfNames)) # allow groups of DNs bind_timelimit 15 timelimit 5 idle_timelimit 3600 ssl start_tls tls_reqcert hard tls_cacertdir /usr/local/etc/openldap/ca tls_cacertfile /usr/local/etc/openldap/ca/ca-cert.pem tls_ciphers DHE-RSA-AES256-GCM-SHA384 # requires OpenSSL from ports use DHE-RSA-AES256-SHA otherwise tls_cert /usr/local/etc/nslcd.crt tls_key /usr/local/etc/nslcd.key sasl_mech EXTERNAL sasl_realm EXAMPLE.ORG