Re: LDAP authentication confusion

Mon, 15 Jul 2013 12:50:59 -0700 

On 15.07.2013 21:44, Daniel Eischen wrote:
> On Mon, 15 Jul 2013, Jan Bramkamp wrote:
> 
>> On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
>> Loftis wrote:
>>>
>>>> nss_ldap fulfills most of the get*ent calls, thus based on the bits of
>>>> your configuration you've exposed I think you're ending up with that
>>>> behavior and not using pam_ldap at all.  Instead the authentication is
>>>> happening via nsswitch fulfilling getpwent() call's (the passwd: files
>>>> ldap line in nsswitch.conf)
>>>
>>> Ok, thanks.  But shouldn't the documentation be changed
>>> to reflect that?
>>
>> More than that. In my opinion it should be updated by replacing nss_ldap
>> and pam_ldap with nss-pam-ldapd which splits the job of both into a
>> shared daemon talking to the LDAP server and small stubs linked into the
>> NSS / PAM using process talking to the local daemon. This allows useable
>> timeout handling and client certificates with save permissions.
> 
> I tried nss-pam-ldapd and it doesn't work for me.  I'm not
> doing anything strange, as you can see by my configuration.
> It would try to talk to the LDAP server, but would fail.
> I'm not sure it was correctly picking up the proxyagent
> password in my /usr/local/etc/nslcd.conf.  It was definitely
> parsing it though, as that is where the LDAP server is
> defined.  I switched to using pam_ldap and nss_ldap, and
> it worked without any problem.
> 

This is my basic nscld.conf:

        uid nslcd
        gid nslcd

        # fail over to auth2 if required
        uri ldap://auth1.example.org
        uri ldap://auth2.example.org

        base dc=example,dc=org

        scope sub

        base    group   ou=groups,dc=example,dc=org
        base    passwd  ou=users,dc=example,dc=org
        scope   group   onelevel
        scope   hosts   sub

        filter group (|(objectClass=posixGroup)(objectClass=posixGroupOfNames))
# allow groups of DNs

        bind_timelimit  15
        timelimit       5
        idle_timelimit  3600

        ssl             start_tls
        tls_reqcert     hard
        tls_cacertdir   /usr/local/etc/openldap/ca
        tls_cacertfile  /usr/local/etc/openldap/ca/ca-cert.pem
        tls_ciphers     DHE-RSA-AES256-GCM-SHA384 # requires OpenSSL from ports
use DHE-RSA-AES256-SHA otherwise
        tls_cert        /usr/local/etc/nslcd.crt
        tls_key         /usr/local/etc/nslcd.key

        sasl_mech       EXTERNAL
        sasl_realm      EXAMPLE.ORG
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to