nss_ldap problem

Frode Nordahl frode at nordahl.net
Sat Mar 4 09:04:22 UTC 2006

On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote:

> I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
> I have a problem -- login success only if {CRYPT} mechanism used in
> ldap database. Other services, authenticated in ldap, work fine
> (pam_ldap, apache auth for example).

pam_ldap authenticates the user by attempting to bind to the LDAP  
server using the users credentials. So what type of encryption used  
should not make any difference.

However, I have observed configurations on Linux where authentication  
is done through nss_ldap instead of pam_ldap. What actually happends  
then is that nss_ldap fetches the password from the database and  
pam_unix does the authentiaction work.

If this is the case in your setup, the encryption chosen would matter  
as pam_unix probably does not support all the modes that OpenLDAP has.

You could try to remove pam_ldap from your setup, and leave nss_ldap  
active and see if you still can log in?

What does your ACL's look like?

I have this as one of my first ACL's:
access to attr=userPassword
	by self write
	by anonymous auth
	by * none

This makes sure that no one can read the password from the directory,  
but allows a user to change his own password, and to authenticate by  
binding to the LDAP server.


> /etc/nsswitch.conf
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
> imap: ldap

Why do you have "ldap" first? I would use "files ldap" in any case so  
local changes can override the directory.

Frode Nordahl
frode at nordahl.net

More information about the freebsd-stable mailing list