From owner-freebsd-hackers@FreeBSD.ORG  Thu May 24 15:01:02 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A00CC16A400
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 15:01:02 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.freebsd.org (Postfix) with ESMTP id 5646813C4B0
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 15:00:52 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.1/8.13.8) id l4OF0jCg098402;
	Thu, 24 May 2007 10:00:45 -0500 (CDT) (envelope-from dan)
Date: Thu, 24 May 2007 10:00:45 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Mohacsi Janos <mohacsi@niif.hu>
Message-ID: <20070524150045.GI98411@dan.emsphone.com>
References: <20070524112217.N166@mignon.ki.iif.hu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20070524112217.N166@mignon.ki.iif.hu>
X-OS: FreeBSD 6.2-STABLE
User-Agent: Mutt/1.5.15 (2007-04-06)
Cc: freebsd-hackers@freebsd.org, bushman@rsu.ru
Subject: Re: nss_ldap without nscd or cached ?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2007 15:01:02 -0000

In the last episode (May 24), Mohacsi Janos said:
>  	I think there is a some architectural issues with the current
>  implementation of nsswitch or nsdispatch(3). Let's assume you want
>  to authenticate against an LDAP database. You will install nss_ldap
>  from port. You configure nss_ldap.conf with binddn and its bindpw.
>  Here comes the problem:
> 
>  1. If permission of nss_ldap.conf is 0400 since it contains the
>  clear text password of the binddn, then an ordinary user cannot bind
>  to the database and cannot get UID->name information from LDAP
>  database. See output:
> 
>  mohacsi@mignon> ls -l /home
>  total 6
>  drwxr-xr-x  3 9027  wheel  512 May 23 17:57 user1
>  drwxrwxr-x  3 root  9030   512 May 23 15:14 documents
>  drwxr-xr-x  2 9013  9013   512 May 23 15:13 user2
>  ....

You should be able to grant the anonymous user read access to
user/group names and group membership attributes.  That way you can do
simple things like name->uid lookups without having to bind at all.

-- 
	Dan Nelson
	dnelson@allantgroup.com