LDAP authentication confusion

Jan Bramkamp crest at rlwinm.de
Mon Jul 15 19:49:52 UTC 2013 

On 15.07.2013 21:44, Daniel Eischen wrote:
> On Mon, 15 Jul 2013, Jan Bramkamp wrote:
> 
>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
>> Loftis wrote:
>>>
>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>>> your configuration you've exposed I think you're ending up with that
>>>> behavior and not using pam_ldap at all.  Instead the authentication is
>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>>> ldap line in nsswitch.conf)
>>>
>>> Ok, thanks.  But shouldn't the documentation be changed
>>> to reflect that?
>>
>> More than that. In my opinion it should be updated by replacing nss_ldap
>> and pam_ldap with nss-pam-ldapd which splits the job of both into a
>> shared daemon talking to the LDAP server and small stubs linked into the
>> NSS / PAM using process talking to the local daemon. This allows useable
>> timeout handling and client certificates with save permissions.
> 
> I tried nss-pam-ldapd and it doesn't work for me.  I'm not
> doing anything strange, as you can see by my configuration.
> It would try to talk to the LDAP server, but would fail.
> I'm not sure it was correctly picking up the proxyagent
> password in my /usr/local/etc/nslcd.conf.  It was definitely
> parsing it though, as that is where the LDAP server is
> defined.  I switched to using pam_ldap and nss_ldap, and
> it worked without any problem.
> 

This is my basic nscld.conf:

	uid nslcd
	gid nslcd

	# fail over to auth2 if required
	uri ldap://auth1.example.org
	uri ldap://auth2.example.org

	base dc=example,dc=org

	scope sub

	base    group	ou=groups,dc=example,dc=org
	base	passwd	ou=users,dc=example,dc=org
	scope	group	onelevel
	scope	hosts	sub

	filter group (|(objectClass=posixGroup)(objectClass=posixGroupOfNames))
# allow groups of DNs

	bind_timelimit	15
	timelimit	5
	idle_timelimit	3600

	ssl             start_tls
	tls_reqcert     hard
	tls_cacertdir   /usr/local/etc/openldap/ca
	tls_cacertfile  /usr/local/etc/openldap/ca/ca-cert.pem
	tls_ciphers     DHE-RSA-AES256-GCM-SHA384 # requires OpenSSL from ports
use DHE-RSA-AES256-SHA otherwise
	tls_cert	/usr/local/etc/nslcd.crt
	tls_key         /usr/local/etc/nslcd.key

	sasl_mech       EXTERNAL
	sasl_realm	EXAMPLE.ORG

More information about the freebsd-stable mailing list