nss_ldap problem
Frode Nordahl
frode at nordahl.net
Sat Mar 4 09:04:22 UTC 2006
On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote:
> I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
> I have a problem -- login success only if {CRYPT} mechanism used in
> ldap database. Other services, authenticated in ldap, work fine
> (pam_ldap, apache auth for example).
pam_ldap authenticates the user by attempting to bind to the LDAP
server using the users credentials. So what type of encryption used
should not make any difference.
However, I have observed configurations on Linux where authentication
is done through nss_ldap instead of pam_ldap. What actually happends
then is that nss_ldap fetches the password from the database and
pam_unix does the authentiaction work.
If this is the case in your setup, the encryption chosen would matter
as pam_unix probably does not support all the modes that OpenLDAP has.
You could try to remove pam_ldap from your setup, and leave nss_ldap
active and see if you still can log in?
What does your ACL's look like?
I have this as one of my first ACL's:
access to attr=userPassword
by self write
by anonymous auth
by * none
This makes sure that no one can read the password from the directory,
but allows a user to change his own password, and to authenticate by
binding to the LDAP server.
[snip]
> /etc/nsswitch.conf
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
> imap: ldap
Why do you have "ldap" first? I would use "files ldap" in any case so
local changes can override the directory.
Frode Nordahl
frode at nordahl.net
More information about the freebsd-stable
mailing list