LDAP and Linux compatibility

Michael Collette metrol.net at gmail.com
Sun Mar 20 13:37:44 PST 2005

On 20 Mar 2005 09:54:55 -0500, Lowell Gilbert
<freebsd-security-local at be-well.ilk.org> wrote:
> Michael Collette <metrol.net at gmail.com> writes:
> > Please excuse a wee bit of cross posting here.  It seems that the
> > questions list may not be the appropriate place for this as I've found
> > a number of unanswered posts involving this topic.
> On the -ports list, somebody pointed out that the linux-base ports
> include advice to to edit /compat/linux/etc/yp.conf (I'm using NIS).
> I haven't tried this yet, but it makes sense that it would be
> necessary.  For your case with LDAP, I suspect you would need to
> configure nsswitch.conf, probably the same way as the FreeBSD version
> in your real /etc directory.

The problem is, NIS is a built in feature of both FreeBSD and Linux. 
Configuring FreeBSD to utilize LDAP involves at least 4 additional
ports.  You need pam_ldap, nss_ldap, openldap-client, and openssl. 
The 4th of course being optional but highly desirable for security

Without this additional software neither FreeBSD nor the compat/Linux
install will do a lookup to an LDAP directory.  It wouldn't know how,
as you have to properly configure both pam_ldap and nss_ldap so they
know how to query the directory.

I would think that the most desirable behavior would be to have any
Linux calls to getpwuid_r() answered by the FreeBSD libraries rather
than a direct attempt to look at the passwd database.  Well, assuming
that's what is happening.  It just seems redundant to have to
configure authentication for the base system, then do it again for the
Linux compatiblity.

Later on,
"When you come to a fork in the road....Take it"
- Yogi Berra

More information about the freebsd-security mailing list