Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 4 Mar 2006 10:04:17 +0100
From:      Frode Nordahl <frode@nordahl.net>
To:        Dmitriy Kirhlarov <dimma@higis.ru>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: nss_ldap problem
Message-ID:  <6F9C5982-E3FB-4EC2-9890-D685F2ABCC34@nordahl.net>
In-Reply-To: <20060226081431.GA813@dimma.mow.oilspace.com>
References:  <20060226081431.GA813@dimma.mow.oilspace.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote:

> I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
> I have a problem -- login success only if {CRYPT} mechanism used in
> ldap database. Other services, authenticated in ldap, work fine
> (pam_ldap, apache auth for example).

pam_ldap authenticates the user by attempting to bind to the LDAP  
server using the users credentials. So what type of encryption used  
should not make any difference.

However, I have observed configurations on Linux where authentication  
is done through nss_ldap instead of pam_ldap. What actually happends  
then is that nss_ldap fetches the password from the database and  
pam_unix does the authentiaction work.

If this is the case in your setup, the encryption chosen would matter  
as pam_unix probably does not support all the modes that OpenLDAP has.

You could try to remove pam_ldap from your setup, and leave nss_ldap  
active and see if you still can log in?

What does your ACL's look like?

I have this as one of my first ACL's:
access to attr=userPassword
	by self write
	by anonymous auth
	by * none

This makes sure that no one can read the password from the directory,  
but allows a user to change his own password, and to authenticate by  
binding to the LDAP server.

[snip]

> /etc/nsswitch.conf
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
> imap: ldap

Why do you have "ldap" first? I would use "files ldap" in any case so  
local changes can override the directory.

Frode Nordahl
frode@nordahl.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6F9C5982-E3FB-4EC2-9890-D685F2ABCC34>