LDAP authentication confusion
Daniel Eischen
deischen at freebsd.org
Mon Jul 15 19:44:41 UTC 2013
On Mon, 15 Jul 2013, Jan Bramkamp wrote:
> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
> Loftis wrote:
>>
>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>> your configuration you've exposed I think you're ending up with that
>>> behavior and not using pam_ldap at all. Instead the authentication is
>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>> ldap line in nsswitch.conf)
>>
>> Ok, thanks. But shouldn't the documentation be changed
>> to reflect that?
>
> More than that. In my opinion it should be updated by replacing nss_ldap
> and pam_ldap with nss-pam-ldapd which splits the job of both into a
> shared daemon talking to the LDAP server and small stubs linked into the
> NSS / PAM using process talking to the local daemon. This allows useable
> timeout handling and client certificates with save permissions.
I tried nss-pam-ldapd and it doesn't work for me. I'm not
doing anything strange, as you can see by my configuration.
It would try to talk to the LDAP server, but would fail.
I'm not sure it was correctly picking up the proxyagent
password in my /usr/local/etc/nslcd.conf. It was definitely
parsing it though, as that is where the LDAP server is
defined. I switched to using pam_ldap and nss_ldap, and
it worked without any problem.
--
DE
More information about the freebsd-stable
mailing list