Date: Mon, 15 Jul 2013 21:19:49 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <51E44B55.6030005@rlwinm.de> In-Reply-To: <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael Loftis wrote: > >> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >> your configuration you've exposed I think you're ending up with that >> behavior and not using pam_ldap at all. Instead the authentication is >> happening via nsswitch fulfilling getpwent() call's (the passwd: files >> ldap line in nsswitch.conf) > > Ok, thanks. But shouldn't the documentation be changed > to reflect that? More than that. In my opinion it should be updated by replacing nss_ldap and pam_ldap with nss-pam-ldapd which splits the job of both into a shared daemon talking to the LDAP server and small stubs linked into the NSS / PAM using process talking to the local daemon. This allows useable timeout handling and client certificates with save permissions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E44B55.6030005>