Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Jul 2011 11:57:02 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Frank Bonnet <f.bonnet@esiee.fr>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: import users from LDAP to local password file (pwd.db)
Message-ID:  <20110708165701.GD6611@dan.emsphone.com>
In-Reply-To: <4E172DE2.1000308@esiee.fr>
References:  <4E1713AF.7000806@esiee.fr> <CAJqSfq7y7AJdwNGSZmnZXeuy1oTBaAp8ipeq2qwbrs6xbYq%2BiA@mail.gmail.com> <4E172DE2.1000308@esiee.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
In the last episode (Jul 08), Frank Bonnet said:
> On 07/08/2011 05:43 PM, Moises Castellanos wrote:
> > On Fri, Jul 8, 2011 at 9:56 AM, Frank Bonnet<f.bonnet@esiee.fr>  wrote:
> >> I need to import the necessary users's data  from an OpenLDAP directory
> >> server to put them in the local password files , anyone has done this
> >> before ?
> >>
> >> The machine use nss_ldap and pam_ldap to authenticate users but for
> >> robustness during the holidays I would like to have a local password
> >> file on this machine which is our mailhub.
> >>
> >> The OpenLDAP server runs on another machine and if it fails during
> >> holidays I want my mailhub to be standalone for authentication in order
> >> to let email service running even the directory server crash.
>
> > You can try with getent(1) passwd and see if you can work with the
> > output
>
> getent does not show the encrypted password field

LDAP servers usually don't allow clients to see the raw password hash. 
Authentication checks are done by binding as the requested user, so the
calling app doesn't have a chance to grab the hash and do an offline
brute-force attack on it.

To ensure LDAP availability, the usual thing to do is set up multiple
servers with LDAP replication between them, and configure your client's
ldap.conf to use all of them (or use carp or some other IP management app to
provide a single "always-up" IP address).

-- 
	Dan Nelson
	dnelson@allantgroup.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110708165701.GD6611>