pam_ldap: documentation problems
norman at astro.gla.ac.uk
Tue Mar 27 11:31:45 UTC 2018
I'm trying to set up PAM/LDAP authentication. I think the following may
represent documentation bugs (or at least omissions), but I'm
insufficiently confident about the technology to raise them as such
without some discussion here first.
Do let me know if there's a better list for this to go to.
1. The pam_ldap(5) manpage (installed as part of the pam_ldap pkg/port)
Specifies the distinguished name of a group to which a
belong for logon authorization to succeed.
<attribute> Specifies the attribute to use when testing a
membership of a group specified in the pam_groupdn
This description doesn't, however, make clear whether
pam_member_attribute is an attribute on the user's entry, naming the
group they belong to (eg memberOf), or an attribute on the group's
entry, naming the users who are members (eg member or memberUid). Other
resources suggest  it's the latter, but it would be useful to have
this clarified in the FreeBSD manpage.
2. The article at  discusses PAM configuration and mentions
pam_groupdn, but _doesn't_ illustrate pam_member_attribute, so doesn't
resolve the ambiguity in pam_ldap(5).
Further, this article says:
> Members of this group are specified in one or more memberUid
> attributes, and each attribute must have the full distinguished name
> of the member. So memberUid: someuser will not work; it must be:
> memberUid: uid=someuser,ou=people,dc=example,dc=org
I think this may actually not conform with how memberUid is intended to
be used. Specifically, I think that memberUid should indeed be simply
`someuser`. That is, I suspect this article is wrong, or at least
unconventional, in this demand.
If we look at `/usr/local/etc/openldap/schema/nis.schema`, we see that
memberUid has syntax 18.104.22.168.4.1.1422.214.171.124.26 which (as you will of
course instantly recognise) is IA5String (ie, ASCII) (some other
nis.schema files, eg on macOS, give this as 'directory string', meaning
a UTF-8 encoded ISO10646/Unicode string). RFC 2307  also says that
memberUid is an IA5String. The DN quoted above doesn't violate this as
a matter of syntax, but note that the attribute is _not_ given syntax
...121.1.12, or DN. In contrast. the `member` attribute (RFC 2256, )
_is_ given syntax distinguishedName. Thus the implication does seem to
be that, pace the article at , memberUid is intended _not_ to be a
Also, RFC 2307bis (, draft, but widely implemented) explicitly says:
It is suggested that uid and cn are used as the naming attribute for
posixAccount and posixGroup entries, respectively. Group members
either be login names (values of memberUid) or distinguished names
(values of member).
which seems to rule out DN-valued memberUid.
The howto at  also illustrates memberUid as a simple uid, not a DN.
I haven't yet experimented with this in practice -- I'm still trying to
read around this -- so it's possible that memberuid:someuser does in
fact work in practice, and the article is simply out of date.
Can anyone comment? Or point to alternative instructions for setting up
FreeBSD client PAM/LDAP (in the current context, I'm configuring the
server-side as well, but that has to be compatible with Linux clients,
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
More information about the freebsd-questions