From nobody Mon Jan 08 20:39:34 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T85XS4d1zz56k4P for ; Mon, 8 Jan 2024 20:39:52 +0000 (UTC) (envelope-from rockyhotas@post.com) Received: from mout.gmx.com (mout.gmx.com [74.208.4.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.com", Issuer "GeoTrust TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T85XS296Jz4VW4 for ; Mon, 8 Jan 2024 20:39:52 +0000 (UTC) (envelope-from rockyhotas@post.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=post.com; s=s1089575; t=1704746374; x=1705351174; i=rockyhotas@post.com; bh=N8ZY70dfysA9+UMikexSoofyH8RUZFee45WBhSIa580=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=EEcqL5bNVF3FI7uRpayujES92Rny7bQqpsaZ0yHJUBf6w8CjZPZBtuTZlFHq2awR Jl3iNxwxy4IjsRM3WpQIvov1PKoBMu90n9ys0vSllOUCrXW9/INTjOqvf9iWgsCM/ wFcN+6hGw/v0BBBzSXWcOTrNPqQOcWKshxbqYJHdC6llI4tQuqzXPrRIb9j7dTTMu tvYtB2iNYwWVC75LjS+g3quCDcHhb0ifZWuLuTl4SlqpTVgFLrTiTOzsTYLRTuidK +d8nre5lbhDjdLCNhxUu2sa4QspSk8slzOfNrSA5S+eRocHE32DJrHnh1SrTF94/3 o2Omc0Xm6N05+aAFaw== X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a Received: from [91.81.140.248] ([91.81.140.248]) by web-mail.mail.com (3c-app-mailcom-lxa12.server.lan [10.76.45.13]) (via HTTP); Mon, 8 Jan 2024 21:39:34 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-ID: From: Rocky Hotas To: FreeBSD Questions Cc: mail@souji-thenria.net Subject: Re: auth.log error with nss-pam-ldapd in LDAP client Content-Type: text/plain; charset=UTF-8 Date: Mon, 8 Jan 2024 21:39:34 +0100 Importance: normal Sensitivity: Normal In-Reply-To: <1b84e5fa-41c1-471e-80bd-cc7595775ccc@souji-thenria.net> References: <1b84e5fa-41c1-471e-80bd-cc7595775ccc@souji-thenria.net> Content-Transfer-Encoding: quoted-printable X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K1:gjwDXlmgzKX9c6SS19kExaPOYyHb/AnEzSCaXUl/nP/Zq1nV2pQ0E1BGUJOeG0xJFjH+K 2xXAJgaIwdfdAUom+o4LCEXyzhNt2f4oYeYgTx8VEs+tZcUsxuDBxj0u14gdQUtGqLqwkT9AMid2 Uxb/1/zAZXWrAu1HdlT7tW6fSWYANqosb82dw0mWIn+WdO/r/t8XtDblOvRP8dx4+GIrR/mSh3hl LwyH0z9fJA8YJ944sm7XWNphr5L41VNeRSadChyW7oE8JQKJFpFYupFIe86puGNlClY1MCOC7qzo 68= X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:OrpTk2ZKUSE=;OjszXimUXoi6d7nyI6ZBP/hec0S 0RN3jfFI6tB4VpAR7MZJY8vX8sIsWDnmuz3Pe6gFDR8SALcFDLgNQhh1THFVjj8i+nLqPsbv2 cHnsAYj2INs5k+ZX4LYkGee4FmcY0gKKUAjUvSdR3T2XhqkdBb9v1JVxmDrjXL8n7le8VAlAp 8/GVgbvUCwAaCK4MNcV42/esT0bMf5evpnnvygEPS0Jk7cR8mIt2EhyAXImHlcE9Yz1kkpX2C yljoYFJSawqZZUtCGuvcKjEu3JL2o+0Z9Z6gDE4NCfilNf6oORmYF94uF5vMJ/rjFMzdspAIE 6j22mQROI+TOjK2PldlYyHTTqlqhwQpA6AyUlvw0jXyIFe89yktowlX72UTrNp9vQXRPi7xD3 FpRsf34J2YQorJB0DKJbFn5t4nYrf6KAC3KACPT1BmAz6/lH3W9nBO+PkHcn4MclID1NVBWv1 slpo9xQ5cq7Zr5bJe+EgntPiuTtKGmRuBFACip4CsZb7IitHgkk4c7k7bDh4CL9njRQgFJ2EJ NhhbVmO9bI5ERI52SIe9NTBGG/PaCqtnHmzloMh2k82yLgbdmNJ+cMceddd1LGFOqwJf/uWNc 2oX2uZnKtvc0zYi0+I1rhc/W7Fdd6VOFqdlsTR9zLz51BWL8bR+abpssd6RDerpRB2CpE1ukc IGJlItObtexhtSkrDZKqHm1DScRZ689IhHZM9RxBx+9BV2i5C+fkDXi9FFALEAdUJEdzhNy18 QgSKoj1zs6QfXt8Kv3c3EfvAyMkfo3SZ5zh/+vAuigTTqwTWenMHIaXCWwJkErA4vPKCmRkrm 47+u4RAzlB7R1d2oZYAq4oyHWJs0gxSmwYjPnsCrh2xsc= X-Rspamd-Queue-Id: 4T85XS296Jz4VW4 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8560, ipnet:74.208.0.0/16, country:DE] Hi Souji! > Sent: Monday, January 08, 2024 at 7:19 PM > From: "Souji Thenria" > To: "Rocky Hotas" , "FreeBSD Questions" > Subject: Re: auth=2Elog error with nss-pam-ldapd in LDAP client [=2E=2E=2E] > If you run the command like this, the query is executed using anonymous > bind, and based on your configured ACLs, it might limit what you can see= =2E > Additionally, I think the default depth for 'ldapsearch' is 2 (but I'm > not sure about this)=2E The ACLs should be very permissive in this test stage (all the database should be readable by anyone)=2E But the problem turned out to be exactly about depth as you mentioned! By referring a single user with its `cn' I can print all the information about him/her ldapsearch -x -b 'dc=3Dexamplehost,dc=3Ddomain' '(cn=3DName Surname)' or by referring a group I can print all the child items: ldapsearch -x -b 'ou=3Dgroups,dc=3Dexamplehost,dc=3Ddomain' '(objectclass= =3D*)' Without any further options, the default is to descend of no more than two levels from the starting point in the command line (in this last example, no more than two levels below 'ou=3Dgroups,dc=3Dexamplehost,dc=3Ddomain')= =2E The relevant option in ldapsearch(1) is=20 -s=C2=A0{base|one|sub|children} Specify the scope of the search to be one of base, one, sub,= or children to specify a base object, one-level, subtree, or children search=2E The default is sub=2E Note: children sc= ope requires LDAPv3 subordinate feature extension=2E However, I still can not print all the objects using `-s children'=2E Mayb= e I don't have the mentioned feature=2E > That's to be expected=2E The user you use to query the LDAP directory > properly has no access to the 'userPassword' attribute of every user; > that's why you don't see any passwords for the LDAP users=2E Ok! But is it normal that a `x', instead of an asterisk, is used to represent the missing password? > I'm not sure about this, but if I remember correctly, there is also > another PAM module you need in order to authenticate a user against the > LDAP directory=2E The nss-pam-ldapd is only to query data for the NSS=2E I think it's included in nss-pam-ldapd, which should replace both security/pam_ldap and net/nss_ldap: # pkg info -l nss-pam-ldapd nss-pam-ldapd-0=2E9=2E12_1: /usr/local/etc/nslcd=2Econf=2Esample /usr/local/etc/rc=2Ed/nslcd /usr/local/lib/nss_ldap=2Eso /usr/local/lib/nss_ldap=2Eso=2E1 /usr/local/lib/pam_ldap=2Eso /usr/local/lib/pam_ldap=2Eso=2E1 /usr/local/man/man5/nslcd=2Econf=2E5=2Egz /usr/local/man/man8/nslcd=2E8=2Egz /usr/local/man/man8/pam_ldap=2E8=2Egz /usr/local/sbin/nslcd /usr/local/share/licenses/nss-pam-ldapd-0=2E9=2E12_1/LGPL21 /usr/local/share/licenses/nss-pam-ldapd-0=2E9=2E12_1/LGPL3 /usr/local/share/licenses/nss-pam-ldapd-0=2E9=2E12_1/LICENSE /usr/local/share/licenses/nss-pam-ldapd-0=2E9=2E12_1/catalog=2Emk Both nss_ldap=2Eso and pam_ldap=2Eso are installed with this package=2E In the /etc/pam=2Ed/sshd module example, in fact, I used /usr/local/lib/pam_ldap=2Eso=2E Rocky