On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote:
I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
I have a problem -- login success only if {CRYPT} mechanism used in
ldap database. Other services, authenticated in ldap, work fine
(pam_ldap, apache auth for example).
pam_ldap authenticates the user by attempting to bind to the LDAP
server using the users credentials. So what type of encryption used
should not make any difference.
However, I have observed configurations on Linux where authentication
is done through nss_ldap instead of pam_ldap. What actually happends
then is that nss_ldap fetches the password from the database and
pam_unix does the authentiaction work.
If this is the case in your setup, the encryption chosen would matter
as pam_unix probably does not support all the modes that OpenLDAP has.
You could try to remove pam_ldap from your setup, and leave nss_ldap
active and see if you still can log in?
What does your ACL's look like?
I have this as one of my first ACL's:
access to attr=userPassword
by self write
by anonymous auth
by * none
This makes sure that no one can read the password from the directory,
but allows a user to change his own password, and to authenticate by
binding to the LDAP server.
[snip]
/etc/nsswitch.conf
group: ldap files
hosts: files dns
networks: files
passwd: ldap files
shells: files
imap: ldap
Why do you have "ldap" first? I would use "files ldap" in any case so
local changes can override the directory.
Frode Nordahl
[EMAIL PROTECTED]
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
