Date: Mon, 8 Jan 2024 21:41:19 +0000 From: Souji Thenria <mail@souji-thenria.net> To: Rocky Hotas <rockyhotas@post.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: auth.log error with nss-pam-ldapd in LDAP client Message-ID: <59c5a96e-d4b1-4a5e-ae52-a487c8c6e286@souji-thenria.net> In-Reply-To: <trinity-228e60fc-0552-42b1-8067-271fb0326d7b-1704746374176@3c-app-mailcom-lxa12> References: <trinity-81261d30-7268-4bec-9268-ce19c331a1ae-1704718198974@3c-app-mailcom-lxa03> <1b84e5fa-41c1-471e-80bd-cc7595775ccc@souji-thenria.net> <trinity-228e60fc-0552-42b1-8067-271fb0326d7b-1704746374176@3c-app-mailcom-lxa12>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Rocky!
> The ACLs should be very permissive in this test stage (all the database
> should be readable by anyone). But the problem turned out to be exactly
> about depth as you mentioned! By referring a single user with its `cn'
> I can print all the information about him/her
>
> ldapsearch -x -b 'dc=examplehost,dc=domain' '(cn=Name Surname)'
>
> or by referring a group I can print all the child items:
>
> ldapsearch -x -b 'ou=groups,dc=examplehost,dc=domain' '(objectclass=*)'
>
> Without any further options, the default is to descend of no more than two
> levels from the starting point in the command line (in this last example,
> no more than two levels below 'ou=groups,dc=examplehost,dc=domain').
>
> The relevant option in ldapsearch(1) is
>
> -s {base|one|sub|children}
> Specify the scope of the search to be one of base, one, sub, or
> children to specify a base object, one-level, subtree, or
> children search. The default is sub. Note: children scope
> requires LDAPv3 subordinate feature extension.
>
> However, I still can not print all the objects using `-s children'. Maybe
> I don't have the mentioned feature.
Good to know.
You might want to use some graphical tool like 'Apache Directory
Studio'. I found it quite useful in the past.
>> That's to be expected. The user you use to query the LDAP directory
>> properly has no access to the 'userPassword' attribute of every user;
>> that's why you don't see any passwords for the LDAP users.
>
> Ok! But is it normal that a `x', instead of an asterisk, is used to
> represent the missing password?
The asterisk signals that password authentication is disabled; see
passwd(5). The 'x' signals that the password is not in '/etc/passwd' (in
your case, it is in the LDAP directory).
>> I'm not sure about this, but if I remember correctly, there is also
>> another PAM module you need in order to authenticate a user against the
>> LDAP directory. The nss-pam-ldapd is only to query data for the NSS.
>
> I think it's included in nss-pam-ldapd, which should replace both
> security/pam_ldap and net/nss_ldap:
>
> # pkg info -l nss-pam-ldapd
> nss-pam-ldapd-0.9.12_1:
> /usr/local/etc/nslcd.conf.sample
> /usr/local/etc/rc.d/nslcd
> /usr/local/lib/nss_ldap.so
> /usr/local/lib/nss_ldap.so.1
> /usr/local/lib/pam_ldap.so
> /usr/local/lib/pam_ldap.so.1
> /usr/local/man/man5/nslcd.conf.5.gz
> /usr/local/man/man8/nslcd.8.gz
> /usr/local/man/man8/pam_ldap.8.gz
> /usr/local/sbin/nslcd
> /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL21
> /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL3
> /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LICENSE
> /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/catalog.mk
>
> Both nss_ldap.so and pam_ldap.so are installed with this package.
> In the /etc/pam.d/sshd module example, in fact, I used
> /usr/local/lib/pam_ldap.so.
You are right. The pam_ldap is also configured using the nsldc.conf file.
Regarding your SSH problem:
Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8)).
'use_first_pass' won't prompt for a password. The other one should.
Regards,
Souji
--
Souji Thenria
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59c5a96e-d4b1-4a5e-ae52-a487c8c6e286>