LDAP authentication confusion
Jan Bramkamp
crest at rlwinm.de
Mon Jul 15 19:19:54 UTC 2013
On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
Loftis wrote:
>
>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>> your configuration you've exposed I think you're ending up with that
>> behavior and not using pam_ldap at all. Instead the authentication is
>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>> ldap line in nsswitch.conf)
>
> Ok, thanks. But shouldn't the documentation be changed
> to reflect that?
More than that. In my opinion it should be updated by replacing nss_ldap
and pam_ldap with nss-pam-ldapd which splits the job of both into a
shared daemon talking to the LDAP server and small stubs linked into the
NSS / PAM using process talking to the local daemon. This allows useable
timeout handling and client certificates with save permissions.
More information about the freebsd-stable
mailing list