LDAP authentication confusion
Jan Bramkamp
crest at rlwinm.de
Mon Jul 15 19:49:52 UTC 2013
On 15.07.2013 21:44, Daniel Eischen wrote:
> On Mon, 15 Jul 2013, Jan Bramkamp wrote:
>
>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
>> Loftis wrote:
>>>
>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>>> your configuration you've exposed I think you're ending up with that
>>>> behavior and not using pam_ldap at all. Instead the authentication is
>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>>> ldap line in nsswitch.conf)
>>>
>>> Ok, thanks. But shouldn't the documentation be changed
>>> to reflect that?
>>
>> More than that. In my opinion it should be updated by replacing nss_ldap
>> and pam_ldap with nss-pam-ldapd which splits the job of both into a
>> shared daemon talking to the LDAP server and small stubs linked into the
>> NSS / PAM using process talking to the local daemon. This allows useable
>> timeout handling and client certificates with save permissions.
>
> I tried nss-pam-ldapd and it doesn't work for me. I'm not
> doing anything strange, as you can see by my configuration.
> It would try to talk to the LDAP server, but would fail.
> I'm not sure it was correctly picking up the proxyagent
> password in my /usr/local/etc/nslcd.conf. It was definitely
> parsing it though, as that is where the LDAP server is
> defined. I switched to using pam_ldap and nss_ldap, and
> it worked without any problem.
>
This is my basic nscld.conf:
uid nslcd
gid nslcd
# fail over to auth2 if required
uri ldap://auth1.example.org
uri ldap://auth2.example.org
base dc=example,dc=org
scope sub
base group ou=groups,dc=example,dc=org
base passwd ou=users,dc=example,dc=org
scope group onelevel
scope hosts sub
filter group (|(objectClass=posixGroup)(objectClass=posixGroupOfNames))
# allow groups of DNs
bind_timelimit 15
timelimit 5
idle_timelimit 3600
ssl start_tls
tls_reqcert hard
tls_cacertdir /usr/local/etc/openldap/ca
tls_cacertfile /usr/local/etc/openldap/ca/ca-cert.pem
tls_ciphers DHE-RSA-AES256-GCM-SHA384 # requires OpenSSL from ports
use DHE-RSA-AES256-SHA otherwise
tls_cert /usr/local/etc/nslcd.crt
tls_key /usr/local/etc/nslcd.key
sasl_mech EXTERNAL
sasl_realm EXAMPLE.ORG
More information about the freebsd-stable
mailing list