From owner-freebsd-stable@FreeBSD.ORG Mon Jul 15 20:18:20 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0FE9B441 for ; Mon, 15 Jul 2013 20:18:20 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.netplex.net (mail.netplex.net [204.213.176.9]) by mx1.freebsd.org (Postfix) with ESMTP id B0C228C2 for ; Mon, 15 Jul 2013 20:18:19 +0000 (UTC) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6FKIIWt033400; Mon, 15 Jul 2013 16:18:18 -0400 X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net) X-Greylist: Message whitelisted by DRAC access database, not delayed by milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]); Mon, 15 Jul 2013 16:18:18 -0400 (EDT) Date: Mon, 15 Jul 2013 16:18:18 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net To: Jan Bramkamp Subject: Re: LDAP authentication confusion In-Reply-To: <51E45260.3050803@rlwinm.de> Message-ID: References: <51E44B55.6030005@rlwinm.de> <51E45260.3050803@rlwinm.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Daniel Eischen List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 20:18:20 -0000 On Mon, 15 Jul 2013, Jan Bramkamp wrote: > On 15.07.2013 21:44, Daniel Eischen wrote: >> On Mon, 15 Jul 2013, Jan Bramkamp wrote: >> >>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael >>> Loftis wrote: >>>> >>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>>>> your configuration you've exposed I think you're ending up with that >>>>> behavior and not using pam_ldap at all. Instead the authentication is >>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>>>> ldap line in nsswitch.conf) >>>> >>>> Ok, thanks. But shouldn't the documentation be changed >>>> to reflect that? >>> >>> More than that. In my opinion it should be updated by replacing nss_ldap >>> and pam_ldap with nss-pam-ldapd which splits the job of both into a >>> shared daemon talking to the LDAP server and small stubs linked into the >>> NSS / PAM using process talking to the local daemon. This allows useable >>> timeout handling and client certificates with save permissions. >> >> I tried nss-pam-ldapd and it doesn't work for me. I'm not >> doing anything strange, as you can see by my configuration. >> It would try to talk to the LDAP server, but would fail. >> I'm not sure it was correctly picking up the proxyagent >> password in my /usr/local/etc/nslcd.conf. It was definitely >> parsing it though, as that is where the LDAP server is >> defined. I switched to using pam_ldap and nss_ldap, and >> it worked without any problem. >> > > This is my basic nscld.conf: Thanks, mine is simpler. I just tried again. $ sudo grep -v "^#" /usr/local/etc/nslcd.conf | sort -u base dc=foo,dc=bar,dc=com binddn cn=proxyagent,dc=foo,dc=bar,dc=com bindpw <...> gid nslcd uid nslcd uri ldap://192.168.3.96/ Everything else is default. All the entries above match the respective settings I used in the working ldap.conf and nss_ldap.conf. We're using Oracle DSEE7 (nee Sun Java Directory Server). -- DE