Date: Mon, 15 Jul 2013 21:49:52 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <51E45260.3050803@rlwinm.de> In-Reply-To: <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <51E44B55.6030005@rlwinm.de> <Pine.GSO.4.64.1307151537510.8901@sea.ntplx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15.07.2013 21:44, Daniel Eischen wrote: > On Mon, 15 Jul 2013, Jan Bramkamp wrote: > >> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael >> Loftis wrote: >>> >>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of >>>> your configuration you've exposed I think you're ending up with that >>>> behavior and not using pam_ldap at all. Instead the authentication is >>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files >>>> ldap line in nsswitch.conf) >>> >>> Ok, thanks. But shouldn't the documentation be changed >>> to reflect that? >> >> More than that. In my opinion it should be updated by replacing nss_ldap >> and pam_ldap with nss-pam-ldapd which splits the job of both into a >> shared daemon talking to the LDAP server and small stubs linked into the >> NSS / PAM using process talking to the local daemon. This allows useable >> timeout handling and client certificates with save permissions. > > I tried nss-pam-ldapd and it doesn't work for me. I'm not > doing anything strange, as you can see by my configuration. > It would try to talk to the LDAP server, but would fail. > I'm not sure it was correctly picking up the proxyagent > password in my /usr/local/etc/nslcd.conf. It was definitely > parsing it though, as that is where the LDAP server is > defined. I switched to using pam_ldap and nss_ldap, and > it worked without any problem. > This is my basic nscld.conf: uid nslcd gid nslcd # fail over to auth2 if required uri ldap://auth1.example.org uri ldap://auth2.example.org base dc=example,dc=org scope sub base group ou=groups,dc=example,dc=org base passwd ou=users,dc=example,dc=org scope group onelevel scope hosts sub filter group (|(objectClass=posixGroup)(objectClass=posixGroupOfNames)) # allow groups of DNs bind_timelimit 15 timelimit 5 idle_timelimit 3600 ssl start_tls tls_reqcert hard tls_cacertdir /usr/local/etc/openldap/ca tls_cacertfile /usr/local/etc/openldap/ca/ca-cert.pem tls_ciphers DHE-RSA-AES256-GCM-SHA384 # requires OpenSSL from ports use DHE-RSA-AES256-SHA otherwise tls_cert /usr/local/etc/nslcd.crt tls_key /usr/local/etc/nslcd.key sasl_mech EXTERNAL sasl_realm EXAMPLE.ORG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E45260.3050803>