Date: Thu, 24 May 2007 10:00:45 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Mohacsi Janos <mohacsi@niif.hu> Cc: freebsd-hackers@freebsd.org, bushman@rsu.ru Subject: Re: nss_ldap without nscd or cached ? Message-ID: <20070524150045.GI98411@dan.emsphone.com> In-Reply-To: <20070524112217.N166@mignon.ki.iif.hu> References: <20070524112217.N166@mignon.ki.iif.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (May 24), Mohacsi Janos said: > I think there is a some architectural issues with the current > implementation of nsswitch or nsdispatch(3). Let's assume you want > to authenticate against an LDAP database. You will install nss_ldap > from port. You configure nss_ldap.conf with binddn and its bindpw. > Here comes the problem: > > 1. If permission of nss_ldap.conf is 0400 since it contains the > clear text password of the binddn, then an ordinary user cannot bind > to the database and cannot get UID->name information from LDAP > database. See output: > > mohacsi@mignon> ls -l /home > total 6 > drwxr-xr-x 3 9027 wheel 512 May 23 17:57 user1 > drwxrwxr-x 3 root 9030 512 May 23 15:14 documents > drwxr-xr-x 2 9013 9013 512 May 23 15:13 user2 > .... You should be able to grant the anonymous user read access to user/group names and group membership attributes. That way you can do simple things like name->uid lookups without having to bind at all. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070524150045.GI98411>