From owner-freebsd-questions@FreeBSD.ORG Tue Nov 25 00:08:59 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19123106564A for ; Tue, 25 Nov 2008 00:08:58 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id C75E78FC0C for ; Tue, 25 Nov 2008 00:08:58 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 038D73C04EE; Mon, 24 Nov 2008 16:08:43 -0800 (PST) Date: Mon, 24 Nov 2008 16:08:39 -0800 From: Christopher Cowart To: Gerhard Schmidt Message-ID: <20081125000839.GA18913@hal.rescomp.berkeley.edu> Mail-Followup-To: Gerhard Schmidt , freebsd-questions@freebsd.org References: <49296382.60808@ze.tum.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <49296382.60808@ze.tum.de> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: files before ldap in nsswitch.conf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 00:08:59 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Gerhard Schmidt wrote: > I'm setting up a new FreeBSD Server for out local Computer club. Most of > the users are stored in LDAP and I've installed nss_ldap and pam_ldap > and set up both. Everything works so far with nsswitch.conf > entry passwd: ldap files. >=20 > When I try passwd: files ldap the login doesn't work anymore because the > LDAP_Server is never asked. The act of logging in is managed by /etc/pam.d/*, not /etc/nsswitch.conf. If `ls -l` works, you've got NSS configured correctly. > I tried this to optimize the LDAP requests as the service users are in > the local files. This would speed up the boot process and takes some > load off the LDAP-Server. >=20 > Is there a way to configure FreeBSD to look first in the local files and > if a user isn't found in the LDAP-Server. This is my /etc/nsswitch.conf: | group: files ldap | hosts: files dns | networks: files | passwd: files ldap | shells: files And /etc/pam.d/system: auth sufficient pam_unix.so no_warn auth required /usr/local/lib/pam_ldap.so no_warn use_first_p= ass My guess is you used required for both modules, which would require authentication to succeed against both user databases. > And another question. Is there a way to use two different LDAP-Servers > e.g. by calling nss_ldap with different config files. What's your goal? We have two different LDAP providers with different subtrees that get "glued" together by a DNS round-robin of LDAP consumers. This round-robin provides a single, unified view of our directory to all our LDAP clients. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJJK0IGAAoJEIGh6j3cHUNP0VoQAIv66cBUYmlxWXJy6QiVqHGM A09GQShTz/G0vLvgdTrUASoXd056APNq4JRTGxT5GprZbHJCVgJgmtTyvar0n+qh n7cNSLBctUnvGo3lvbWYiHOZDsXw9PckKNUynzkuyh+de7QFfv4+v9IEXJQ7sLCe IZgKfypxBkid2JOoq3rAlcivGIxmNxLgT+OndnqDz+8x4J4a65sJUQn3IFOVZhie sCoGujCcHi5lLzIIc+5vKqyHyB+WHnqzWGxDn+XVoeGpY8Idv9xjWyMVgUK9cEKd WL5ONDRhMZfbjiG0Tkv2z75Ggq2qmV83cyjXwExpJoZWMtxK6QpipACE9l87y2DI WRAaolF2FoQ/V9hY+3jOKt3kS7pZna84Qnyaqq4+pI2pg+QLMRwVNdooTSb8QRl2 k8isDVOh3ZmzaB2MoAkaY2qDyoiPJDyiKIKPLDK1hTlri02sqXBGtJM6YPZaXni6 LyEBtix5dY9ZRsdTggs098VWKIM27gegCjHCh182rznZK0JKjsE9/t/mMdNLVUOy ugivUKsxiB7gDq76AFiLUWuMc0E1v11ATsxY9iKs+VmhPo7veAvfbuyDO4OWRleS ByMApP8BvP8rh3IF5mgqXZ3aBDgc8pbXNZi311h1GZPaHz6hyMf891TV7vSLUN1q fxLC+clX3wr5E2pWwqNU =diwm -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--