Date: Mon, 15 Jul 2013 15:44:39 -0400 (EDT) From: Daniel Eischen <deischen@freebsd.org> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net> In-Reply-To: <51E44B55.6030005@rlwinm.de> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Jul 2013, Jan Bramkamp wrote: > On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael > Loftis wrote: >> >>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>> your configuration you've exposed I think you're ending up with that >>> behavior and not using pam_ldap at all. Instead the authentication is >>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>> ldap line in nsswitch.conf) >> >> Ok, thanks. But shouldn't the documentation be changed >> to reflect that? > > More than that. In my opinion it should be updated by replacing nss_ldap > and pam_ldap with nss-pam-ldapd which splits the job of both into a > shared daemon talking to the LDAP server and small stubs linked into the > NSS / PAM using process talking to the local daemon. This allows useable > timeout handling and client certificates with save permissions. I tried nss-pam-ldapd and it doesn't work for me. I'm not doing anything strange, as you can see by my configuration. It would try to talk to the LDAP server, but would fail. I'm not sure it was correctly picking up the proxyagent password in my /usr/local/etc/nslcd.conf. It was definitely parsing it though, as that is where the LDAP server is defined. I switched to using pam_ldap and nss_ldap, and it worked without any problem. -- DE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.64.1307151537510.8901>