Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Jul 2013 16:18:18 -0400 (EDT)
From:      Daniel Eischen <deischen@freebsd.org>
To:        Jan Bramkamp <crest@rlwinm.de>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: LDAP authentication confusion
Message-ID:  <Pine.GSO.4.64.1307151608310.8901@sea.ntplx.net>
In-Reply-To: <51E45260.3050803@rlwinm.de>
References:  <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de> <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net> <51E45260.3050803@rlwinm.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Jul 2013, Jan Bramkamp wrote:

> On 15.07.2013 21:44, Daniel Eischen wrote:
>> On Mon, 15 Jul 2013, Jan Bramkamp wrote:
>>
>>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
>>> Loftis wrote:
>>>>
>>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>>>> your configuration you've exposed I think you're ending up with that
>>>>> behavior and not using pam_ldap at all.  Instead the authentication is
>>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>>>> ldap line in nsswitch.conf)
>>>>
>>>> Ok, thanks.  But shouldn't the documentation be changed
>>>> to reflect that?
>>>
>>> More than that. In my opinion it should be updated by replacing nss_ldap
>>> and pam_ldap with nss-pam-ldapd which splits the job of both into a
>>> shared daemon talking to the LDAP server and small stubs linked into the
>>> NSS / PAM using process talking to the local daemon. This allows useable
>>> timeout handling and client certificates with save permissions.
>>
>> I tried nss-pam-ldapd and it doesn't work for me.  I'm not
>> doing anything strange, as you can see by my configuration.
>> It would try to talk to the LDAP server, but would fail.
>> I'm not sure it was correctly picking up the proxyagent
>> password in my /usr/local/etc/nslcd.conf.  It was definitely
>> parsing it though, as that is where the LDAP server is
>> defined.  I switched to using pam_ldap and nss_ldap, and
>> it worked without any problem.
>>
>
> This is my basic nscld.conf:

Thanks, mine is simpler.  I just tried again.

   $ sudo grep -v "^#" /usr/local/etc/nslcd.conf | sort -u
   base dc=foo,dc=bar,dc=com
   binddn cn=proxyagent,dc=foo,dc=bar,dc=com
   bindpw <...>
   gid nslcd
   uid nslcd
   uri ldap://192.168.3.96/

Everything else is default.  All the entries above match
the respective settings I used in the working ldap.conf
and nss_ldap.conf.

We're using Oracle DSEE7 (nee Sun Java Directory Server).

-- 
DE



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.64.1307151608310.8901>