Date: Tue, 8 Nov 2016 13:30:49 +0100 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-hackers@freebsd.org Subject: Re: nss_ldap seems to not work Message-ID: <2eac83ec-c5d6-6167-2921-66e7c0d34476@rlwinm.de> In-Reply-To: <1644757548.20161108110056@mail.ru> References: <1644757548.20161108110056@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/11/2016 09:00, Anthony Pankov via freebsd-hackers wrote: > Greetings. > > nss_ldap seems to not work correctly at least at FreeBSD 10.3. The original PADL nss_ldap and pam_ldap modules have been effectively unmaintained by the upstream for years. They inject a lot of code into each process using either NSS or PAM. Do yourself a favor and move on to net/nss-pam-ldapd(-sasl) which is maintained and moved most of the logic and all of network communication to a dedicated daemon process. See https://arthurdejong.org/nss-pam-ldapd/design for more details. > Two configurations > 1. FreeBSD 9.2 > 2. FreeBSD 10.3 > sharing nss_ldap settings and using the same LDAP tree (DIT) produce > different results. > > At FreeBSD 10.3 nss_ldap can't enumerate supplementary user > groups. > > Example: > FreeBSD 9.2: > # id user1 > ... groups=basegroup,gr1,gr2,gr3 > FreeBSD 10.3: > # id user1 > ... groups=basegroup > > The effect is inadequate result of initgroups() calling which lead to > various side effects with permissions. > > P.S. Interesting fact. At FreeBSD 10.3 pw utility produce correct > result: > #pw usershow user1 > ... groups=basegroup,gr1,gr2,gr3 > I suspect that there is a regression in the old nss_ldap module. At this time I would be surprised if anyone wanted to touch the old code with a ten foot pole. -- Jan Bramkamp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2eac83ec-c5d6-6167-2921-66e7c0d34476>