pam_ldap: documentation problems

Norman Gray norman at
Tue Mar 27 11:31:45 UTC 2018


I'm trying to set up PAM/LDAP authentication.  I think the following may 
represent documentation bugs (or at least omissions), but I'm 
insufficiently confident about the technology to raise them as such 
without some discussion here first.

Do let me know if there's a better list for this to go to.

1. The pam_ldap(5) manpage (installed as part of the pam_ldap pkg/port) 

        pam_groupdn <groupdn>
               Specifies the distinguished name of a group to which a 
user must
               belong for logon authorization to succeed.  
               <attribute> Specifies the attribute to use when testing a 
               membership of a group specified in the pam_groupdn 

This description doesn't, however, make clear whether 
pam_member_attribute is an attribute on the user's entry, naming the 
group they belong to (eg memberOf), or an attribute on the group's 
entry, naming the users who are members (eg member or memberUid).  Other 
resources suggest [5] it's the latter, but it would be useful to have 
this clarified in the FreeBSD manpage.

2. The article at [1] discusses PAM configuration and mentions 
pam_groupdn, but _doesn't_ illustrate pam_member_attribute, so doesn't 
resolve the ambiguity in pam_ldap(5).

Further, this article says:

> Members of this group are specified in one or more memberUid 
> attributes, and each attribute must have the full distinguished name 
> of the member. So memberUid: someuser will not work; it must be:
> memberUid: uid=someuser,ou=people,dc=example,dc=org

I think this may actually not conform with how memberUid is intended to 
be used.  Specifically, I think that memberUid should indeed be simply 
`someuser`.  That is, I suspect this article is wrong, or at least 
unconventional, in this demand.

If we look at `/usr/local/etc/openldap/schema/nis.schema`, we see that 
memberUid has syntax which (as you will of 
course instantly recognise) is IA5String (ie, ASCII) (some other 
nis.schema files, eg on macOS, give this as 'directory string', meaning 
a UTF-8 encoded ISO10646/Unicode string).  RFC 2307 [3] also says that 
memberUid is an IA5String.  The DN quoted above doesn't violate this as 
a matter of syntax, but note that the attribute is _not_ given syntax 
...121.1.12, or DN.  In contrast. the `member` attribute (RFC 2256, [4]) 
_is_ given syntax distinguishedName.  Thus the implication does seem to 
be that, pace the article at [1], memberUid is intended _not_ to be a 

Also, RFC 2307bis ([6], draft, but widely implemented) explicitly says:

    It is suggested that uid and cn are used as the naming attribute for
    posixAccount and posixGroup entries, respectively.  Group members 
    either be login names (values of memberUid) or distinguished names
    (values of member).

which seems to rule out DN-valued memberUid.

The howto at [5] also illustrates memberUid as a simple uid, not a DN.

I haven't yet experimented with this in practice -- I'm still trying to 
read around this -- so it's possible that memberuid:someuser does in 
fact work in practice, and the article is simply out of date.

Can anyone comment?  Or point to alternative instructions for setting up 
FreeBSD client PAM/LDAP (in the current context, I'm configuring the 
server-side as well, but that has to be compatible with Linux clients, 

Best wishes,



Norman Gray  :
SUPA School of Physics and Astronomy, University of Glasgow, UK

More information about the freebsd-questions mailing list