From owner-freebsd-stable@FreeBSD.ORG  Mon Jul 15 19:09:48 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id D794E5DB
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:09:48 +0000 (UTC)
 (envelope-from deischen@freebsd.org)
Received: from mail.netplex.net (mail.netplex.net [204.213.176.9])
 by mx1.freebsd.org (Postfix) with ESMTP id 9902B1B7
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:09:48 +0000 (UTC)
Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11])
 by mail.netplex.net (8.14.6/8.14.6/NETPLEX) with ESMTP id r6FJ9lYH032275;
 Mon, 15 Jul 2013 15:09:47 -0400
X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net)
X-Greylist: Message whitelisted by DRAC access database, not delayed by
 milter-greylist-4.4.1 (mail.netplex.net [204.213.176.9]);
 Mon, 15 Jul 2013 15:09:47 -0400 (EDT)
Date: Mon, 15 Jul 2013 15:09:47 -0400 (EDT)
From: Daniel Eischen <deischen@freebsd.org>
X-X-Sender: eischen@sea.ntplx.net
To: Michael Loftis <mloftis@wgops.com>
Subject: Re: LDAP authentication confusion
In-Reply-To: <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
Message-ID: <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net>
 <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-stable <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: Daniel Eischen <deischen@freebsd.org>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 19:09:48 -0000

On Mon, 15 Jul 2013, Michael Loftis wrote:

> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
> your configuration you've exposed I think you're ending up with that
> behavior and not using pam_ldap at all.  Instead the authentication is
> happening via nsswitch fulfilling getpwent() call's (the passwd: files
> ldap line in nsswitch.conf)

Ok, thanks.  But shouldn't the documentation be changed
to reflect that?

> On Mon, Jul 15, 2013 at 11:51 AM, Daniel Eischen <deischen@freebsd.org> wrote:
>> There's an article on LDAP authentication on FreeBSD here:
>>
>>   http://www.freebsd.org/doc/en/articles/ldap-auth/article.html#client
>>
>> I'm confused as to why pam_ldap and nss_ldap do not need
>> /etc/pam.d entries, as described in the above link in
>> section 3.1.1.  Meaning, I do not have any ldap entries
>> in my /etc/pam.d/ or even /usr/local/etc/pam.d/ and
>> ldap logins work (console, ssh, telnet, ftp).
>>
>>   $ grep -i ldap /etc/pam.d/*
>>   $ grep -i ldap /usr/local/etc/pam.d/*
>>
>> What am I missing?
>>
>>   $ uname -v
>>   FreeBSD slrtr1 9.1-STABLE FreeBSD 9.1-STABLE #0 r250347...
>>   $ uname -m
>>   amd64
>>   $ cat /etc/nsswitch.conf
>>   group: files ldap
>>   hosts: files dns
>>   networks: files
>>   passwd: files ldap
>>   shells: files
>>   services: files
>>   protocols: files
>>   rpc: files

-- 
DE