Date: Mon, 15 Jul 2013 16:18:18 -0400 (EDT) From: Daniel Eischen <deischen@freebsd.org> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <Pine.GSO.4.64.1307151608310.8901@sea.ntplx.net> In-Reply-To: <51E45260.3050803@rlwinm.de> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de> <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net> <51E45260.3050803@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Jul 2013, Jan Bramkamp wrote: > On 15.07.2013 21:44, Daniel Eischen wrote: >> On Mon, 15 Jul 2013, Jan Bramkamp wrote: >> >>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael >>> Loftis wrote: >>>> >>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>>>> your configuration you've exposed I think you're ending up with that >>>>> behavior and not using pam_ldap at all. Instead the authentication is >>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>>>> ldap line in nsswitch.conf) >>>> >>>> Ok, thanks. But shouldn't the documentation be changed >>>> to reflect that? >>> >>> More than that. In my opinion it should be updated by replacing nss_ldap >>> and pam_ldap with nss-pam-ldapd which splits the job of both into a >>> shared daemon talking to the LDAP server and small stubs linked into the >>> NSS / PAM using process talking to the local daemon. This allows useable >>> timeout handling and client certificates with save permissions. >> >> I tried nss-pam-ldapd and it doesn't work for me. I'm not >> doing anything strange, as you can see by my configuration. >> It would try to talk to the LDAP server, but would fail. >> I'm not sure it was correctly picking up the proxyagent >> password in my /usr/local/etc/nslcd.conf. It was definitely >> parsing it though, as that is where the LDAP server is >> defined. I switched to using pam_ldap and nss_ldap, and >> it worked without any problem. >> > > This is my basic nscld.conf: Thanks, mine is simpler. I just tried again. $ sudo grep -v "^#" /usr/local/etc/nslcd.conf | sort -u base dc=foo,dc=bar,dc=com binddn cn=proxyagent,dc=foo,dc=bar,dc=com bindpw <...> gid nslcd uid nslcd uri ldap://192.168.3.96/ Everything else is default. All the entries above match the respective settings I used in the working ldap.conf and nss_ldap.conf. We're using Oracle DSEE7 (nee Sun Java Directory Server). -- DE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.64.1307151608310.8901>