nss_ldap without nscd or cached ?
Dan Nelson
dnelson at allantgroup.com
Thu May 24 15:01:02 UTC 2007
In the last episode (May 24), Mohacsi Janos said:
> I think there is a some architectural issues with the current
> implementation of nsswitch or nsdispatch(3). Let's assume you want
> to authenticate against an LDAP database. You will install nss_ldap
> from port. You configure nss_ldap.conf with binddn and its bindpw.
> Here comes the problem:
>
> 1. If permission of nss_ldap.conf is 0400 since it contains the
> clear text password of the binddn, then an ordinary user cannot bind
> to the database and cannot get UID->name information from LDAP
> database. See output:
>
> mohacsi at mignon> ls -l /home
> total 6
> drwxr-xr-x 3 9027 wheel 512 May 23 17:57 user1
> drwxrwxr-x 3 root 9030 512 May 23 15:14 documents
> drwxr-xr-x 2 9013 9013 512 May 23 15:13 user2
> ....
You should be able to grant the anonymous user read access to
user/group names and group membership attributes. That way you can do
simple things like name->uid lookups without having to bind at all.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-hackers
mailing list