LDAP authentication confusion
Mark Felder
feld at freebsd.org
Mon Jul 15 19:25:04 UTC 2013
On Mon, Jul 15, 2013, at 14:19, Jan Bramkamp wrote:
>
> More than that. In my opinion it should be updated by replacing nss_ldap
> and pam_ldap with nss-pam-ldapd which splits the job of both into a
> shared daemon talking to the LDAP server and small stubs linked into the
> NSS / PAM using process talking to the local daemon. This allows useable
> timeout handling and client certificates with save permissions.
>
And if the daemon ever crashes, we can't login to our customer servers
(assuming they nuked our local account because they have root access).
That's the one issue I have with that daemon and why we haven't migrated
to it. We should re-evaluate it, though.
More information about the freebsd-stable
mailing list