Re: auth.log error with nss-pam-ldapd in LDAP client

Reply: Souji Thenria : "Re: auth.log error with nss-pam-ldapd in LDAP client"
In reply to: Souji Thenria : "Re: auth.log error with nss-pam-ldapd in LDAP client"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rocky Hotas <rockyhotas_at_post.com>
Date: Mon, 08 Jan 2024 20:39:34 UTC

Hi Souji!

> Sent: Monday, January 08, 2024 at 7:19 PM
> From: "Souji Thenria" <mail@souji-thenria.net>
> To: "Rocky Hotas" <rockyhotas@post.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org>
> Subject: Re: auth.log error with nss-pam-ldapd in LDAP client
[...]
> If you run the command like this, the query is executed using anonymous
> bind, and based on your configured ACLs, it might limit what you can see.
> Additionally, I think the default depth for 'ldapsearch' is 2 (but I'm
> not sure about this).

The ACLs should be very permissive in this test stage (all the database
should be readable by anyone). But the problem turned out to be exactly
about depth as you mentioned! By referring a single user with its `cn'
I can print all the information about him/her

ldapsearch -x -b 'dc=examplehost,dc=domain' '(cn=Name Surname)'

or by referring a group I can print all the child items:

ldapsearch -x -b 'ou=groups,dc=examplehost,dc=domain' '(objectclass=*)'

Without any further options, the default is to descend of no more than two
levels from the starting point in the command line (in this last example,
no more than two levels below 'ou=groups,dc=examplehost,dc=domain').

The relevant option in ldapsearch(1) is 

       -s {base|one|sub|children}
              Specify the scope of the search to be one of base, one, sub, or
              children to specify a base object, one-level, subtree, or
              children search.  The default is sub.  Note: children scope
              requires LDAPv3 subordinate feature extension.

However, I still can not print all the objects using `-s children'. Maybe
I don't have the mentioned feature.

> That's to be expected. The user you use to query the LDAP directory
> properly has no access to the 'userPassword' attribute of every user;
> that's why you don't see any passwords for the LDAP users.

Ok! But is it normal that a `x', instead of an asterisk, is used to
represent the missing password?

> I'm not sure about this, but if I remember correctly, there is also
> another PAM module you need in order to authenticate a user against the
> LDAP directory. The nss-pam-ldapd is only to query data for the NSS.

I think it's included in nss-pam-ldapd, which should replace both
security/pam_ldap and net/nss_ldap:

# pkg info -l nss-pam-ldapd
nss-pam-ldapd-0.9.12_1:
        /usr/local/etc/nslcd.conf.sample
        /usr/local/etc/rc.d/nslcd
        /usr/local/lib/nss_ldap.so
        /usr/local/lib/nss_ldap.so.1
        /usr/local/lib/pam_ldap.so
        /usr/local/lib/pam_ldap.so.1
        /usr/local/man/man5/nslcd.conf.5.gz
        /usr/local/man/man8/nslcd.8.gz
        /usr/local/man/man8/pam_ldap.8.gz
        /usr/local/sbin/nslcd
        /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL21
        /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL3
        /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LICENSE
        /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/catalog.mk

Both nss_ldap.so and pam_ldap.so are installed with this package.
In the /etc/pam.d/sshd module example, in fact, I used
/usr/local/lib/pam_ldap.so.

Rocky