From nobody Mon Jan 8 21:41:19 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T86vR5jl7z56tfG for ; Mon, 8 Jan 2024 21:41:23 +0000 (UTC) (envelope-from mail@souji-thenria.net) Received: from alisa.souji-thenria.net (alisa.souji-thenria.net [188.68.37.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4T86vR2RGDz4mnm for ; Mon, 8 Jan 2024 21:41:23 +0000 (UTC) (envelope-from mail@souji-thenria.net) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=souji-thenria.net; s=20231116; t=1704750079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vc9U78ZTxkAVi/ugqGlN7aS34ionylYfCwSfMkAK3bs=; b=xhN+4Nnx7Qhu1rH0hXNNF5lQqkWrqtXsiQNwBFmDwLz+tNwG0DXtLjbWjrM6XZ+RW/cBia 4RzVEHf1L9+GaJy38OxHaRAaJ0+cXZj6tk7joafip6DSVpqrnJexC3PPePfAv9OqEy8je4 DbLtcs8sMeu4UxBAgSklwQKwJEhHPmNUrKOVLcUrjAD/r8PcoI9DT2EDLGuJKPhjAcdINd 59kkDNM68iIqBekm0bNZoHWelk7ldk6xiRkxaeUtBGOZPe9doL27+o7BYXkU5QdKdyay5M 5278Lq3CFLab/KIrPX6yxOzzFLjjBt5cfyj0OlMas+A0zFzr0RU6NGxSySAH/m8mFsVvG1 mgHd2mVN5v5ch1wn+J1PkDxJxF0tado6/yebRuqE5C5uvlxlpA8uSs26atX8fLxFWIfoxT U5RXVZ9AIjQAMIq+zIOizmRRkJbs9Zgb6zA9k5PCRlJTzZNsONx1OHvy1EL5y3PRCzfBq1 MzyzWkCpGsc8L0eTiOQMp6lrfF3DV5jwmU363hEQFKVtbE0zESS/WSY3C7kFGK+COq7J7H EyMCe21kb7jWlxq9FIvt5d7TDBfr5Adp8ZTthzmKeLMkNHvbpn9TIxDOyiHAzkuaSlBjGV 9qREWYFSirzwSs0URZu0Rmqe5ecSwmNlRigs7KNifTQl66SEEZ/jU= Received: by alisa.souji-thenria.net (OpenSMTPD) with ESMTPSA id 352fe7a2 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 8 Jan 2024 22:41:19 +0100 (CET) Message-ID: <59c5a96e-d4b1-4a5e-ae52-a487c8c6e286@souji-thenria.net> Date: Mon, 8 Jan 2024 21:41:19 +0000 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: auth.log error with nss-pam-ldapd in LDAP client Content-Language: en-US To: Rocky Hotas , FreeBSD Questions References: <1b84e5fa-41c1-471e-80bd-cc7595775ccc@souji-thenria.net> From: Souji Thenria In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4T86vR2RGDz4mnm X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:197540, ipnet:188.68.32.0/20, country:DE] Hey Rocky! > The ACLs should be very permissive in this test stage (all the database > should be readable by anyone). But the problem turned out to be exactly > about depth as you mentioned! By referring a single user with its `cn' > I can print all the information about him/her > > ldapsearch -x -b 'dc=examplehost,dc=domain' '(cn=Name Surname)' > > or by referring a group I can print all the child items: > > ldapsearch -x -b 'ou=groups,dc=examplehost,dc=domain' '(objectclass=*)' > > Without any further options, the default is to descend of no more than two > levels from the starting point in the command line (in this last example, > no more than two levels below 'ou=groups,dc=examplehost,dc=domain'). > > The relevant option in ldapsearch(1) is > > -s {base|one|sub|children} > Specify the scope of the search to be one of base, one, sub, or > children to specify a base object, one-level, subtree, or > children search. The default is sub. Note: children scope > requires LDAPv3 subordinate feature extension. > > However, I still can not print all the objects using `-s children'. Maybe > I don't have the mentioned feature. Good to know. You might want to use some graphical tool like 'Apache Directory Studio'. I found it quite useful in the past. >> That's to be expected. The user you use to query the LDAP directory >> properly has no access to the 'userPassword' attribute of every user; >> that's why you don't see any passwords for the LDAP users. > > Ok! But is it normal that a `x', instead of an asterisk, is used to > represent the missing password? The asterisk signals that password authentication is disabled; see passwd(5). The 'x' signals that the password is not in '/etc/passwd' (in your case, it is in the LDAP directory). >> I'm not sure about this, but if I remember correctly, there is also >> another PAM module you need in order to authenticate a user against the >> LDAP directory. The nss-pam-ldapd is only to query data for the NSS. > > I think it's included in nss-pam-ldapd, which should replace both > security/pam_ldap and net/nss_ldap: > > # pkg info -l nss-pam-ldapd > nss-pam-ldapd-0.9.12_1: > /usr/local/etc/nslcd.conf.sample > /usr/local/etc/rc.d/nslcd > /usr/local/lib/nss_ldap.so > /usr/local/lib/nss_ldap.so.1 > /usr/local/lib/pam_ldap.so > /usr/local/lib/pam_ldap.so.1 > /usr/local/man/man5/nslcd.conf.5.gz > /usr/local/man/man8/nslcd.8.gz > /usr/local/man/man8/pam_ldap.8.gz > /usr/local/sbin/nslcd > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL21 > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL3 > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LICENSE > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/catalog.mk > > Both nss_ldap.so and pam_ldap.so are installed with this package. > In the /etc/pam.d/sshd module example, in fact, I used > /usr/local/lib/pam_ldap.so. You are right. The pam_ldap is also configured using the nsldc.conf file. Regarding your SSH problem: Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8)). 'use_first_pass' won't prompt for a password. The other one should. Regards, Souji -- Souji Thenria