From owner-freebsd-questions@FreeBSD.ORG Fri Jul 11 13:36:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6AAC1065673 for ; Fri, 11 Jul 2008 13:36:38 +0000 (UTC) (envelope-from jan.h.zab@googlemail.com) Received: from mrelay1.uni-hannover.de (mrelay1.uni-hannover.de [130.75.2.106]) by mx1.freebsd.org (Postfix) with ESMTP id 534968FC34 for ; Fri, 11 Jul 2008 13:36:38 +0000 (UTC) (envelope-from jan.h.zab@googlemail.com) Received: from server1.l3s.uni-hannover.de (server1.l3s.uni-hannover.de [130.75.87.1]) by mrelay1.uni-hannover.de (8.14.2/8.14.2) with ESMTP id m6BCwomx032160 for ; Fri, 11 Jul 2008 14:58:51 +0200 Received: by server1.l3s.uni-hannover.de (Postfix, from userid 21011) id 40C2E32403AA; Fri, 11 Jul 2008 14:58:50 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on server1.l3s.uni-hannover.de X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 Received: from pc171.l3s.uni-hannover.de (pc162.l3s.uni-hannover.de [130.75.87.162]) by server1.l3s.uni-hannover.de (Postfix) with ESMTP id 0809A32402A8 for ; Fri, 11 Jul 2008 14:58:49 +0200 (CEST) Date: Fri, 11 Jul 2008 14:58:47 +0200 From: Jan-Hendrik Zab To: freebsd-questions@freebsd.org Message-ID: <20080711145847.5ee17dce@pc171.l3s.uni-hannover.de> In-Reply-To: <4876A338.2010502@gmail.com> References: <2714.204.184.27.217.1215704516.squirrel@mail.bloomfield.k12.mo.us> <4876A338.2010502@gmail.com> Organization: L3S X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.11; i386-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-PMX-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393, Antispam-Data: 2008.7.11.124647 Subject: Re: Ldap NSS PAM Samba X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2008 13:36:38 -0000 On Thu, 10 Jul 2008 18:03:04 -0600 Tim Judd wrote: > sgmayo@mail.bloomfield.k12.mo.us wrote: > > I am trying to setup a FreeBSD server with samba that uses > > OpenLdap. I have installed everything and was doing some > > configuring. I set this all up once before on a Linux box, but I > > basically just went through the motions and really was not sure > > what all I did...but it worked. Now I want to understand > > everything so that I know exactly what all I did. :) > > > > I have the following: > > I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. > > I installed PAM which put ldap.conf.dist in /usr/local/etc. > > I installed NSS which put nss_ldap.conf in /usr/local/etc. > > > > >From looking at them I assume that the last two are the same file > > >and one > > of them just needs to be renamed to ldap.conf and configured for > > PAM and NSS, is that correct? > > > > The ldap.conf in /usr/local/etc/openldap is a different config file > > even though it has the same name? It is used for openldap and the > > other is used for PAM and NSS? > > > > Thanks for any info. > > > > > openldap/ldap.conf is the OpenLDAP client configuration. You're > likely looking for the LDAP server configuration, openldap/slapd.conf > > etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be > merged. I've played ***VERY*** briefly with LDAP authentication > through PAM and NSS, and both were required. I can't quote easily > what the difference between NSS and PAM is, but all the docs I > referenced from Google when I searched said I needed both. It's theoretically possible to use only one file for all three, but you really need to know what you're doing. (with symlinks) OpenLDAP tools, pam_ldap and nss_ldap have more or less the same configuration options. But there are a few quite subtle differences between them, the easiest thing is to just configure them separately while having a look at the appropriate man page. Additionally, they don't start to bark at you, when you configure a parameter that does not exist (in pam_ldap or nss_ldpa only etc.). It wouldn't be easy to find out that the syntax of one of the three was changed, etc. Jan-Hendrik Zab