On Mon, 15 Jul 2013, Jan Bramkamp wrote:
On 15.07.2013 21:44, Daniel Eischen wrote:
On Mon, 15 Jul 2013, Jan Bramkamp wrote:
On 15.07.2013 21:09, Daniel Eischen wrote:> On Mon, 15 Jul 2013, Michael
Loftis wrote:
nss_ldap fulfills most of the get*ent calls, thus based on the bits of
your configuration you've exposed I think you're ending up with that
behavior and not using pam_ldap at all. Instead the authentication is
happening via nsswitch fulfilling getpwent() call's (the passwd: files
ldap line in nsswitch.conf)
Ok, thanks. But shouldn't the documentation be changed
to reflect that?
More than that. In my opinion it should be updated by replacing nss_ldap
and pam_ldap with nss-pam-ldapd which splits the job of both into a
shared daemon talking to the LDAP server and small stubs linked into the
NSS / PAM using process talking to the local daemon. This allows useable
timeout handling and client certificates with save permissions.
I tried nss-pam-ldapd and it doesn't work for me. I'm not
doing anything strange, as you can see by my configuration.
It would try to talk to the LDAP server, but would fail.
I'm not sure it was correctly picking up the proxyagent
password in my /usr/local/etc/nslcd.conf. It was definitely
parsing it though, as that is where the LDAP server is
defined. I switched to using pam_ldap and nss_ldap, and
it worked without any problem.
This is my basic nscld.conf:
Thanks, mine is simpler. I just tried again.
$ sudo grep -v "^#" /usr/local/etc/nslcd.conf | sort -u
base dc=foo,dc=bar,dc=com
binddn cn=proxyagent,dc=foo,dc=bar,dc=com
bindpw <...>
gid nslcd
uid nslcd
uri ldap://192.168.3.96/
Everything else is default. All the entries above match
the respective settings I used in the working ldap.conf
and nss_ldap.conf.
We're using Oracle DSEE7 (nee Sun Java Directory Server).
--
DE
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
