Re: auth.log error with nss-pam-ldapd in LDAP client

From: Souji Thenria <mail_at_souji-thenria.net>
Date: Mon, 08 Jan 2024 21:41:19 UTC
Hey Rocky!

> The ACLs should be very permissive in this test stage (all the database
> should be readable by anyone). But the problem turned out to be exactly
> about depth as you mentioned! By referring a single user with its `cn'
> I can print all the information about him/her
> 
> ldapsearch -x -b 'dc=examplehost,dc=domain' '(cn=Name Surname)'
> 
> or by referring a group I can print all the child items:
> 
> ldapsearch -x -b 'ou=groups,dc=examplehost,dc=domain' '(objectclass=*)'
> 
> Without any further options, the default is to descend of no more than two
> levels from the starting point in the command line (in this last example,
> no more than two levels below 'ou=groups,dc=examplehost,dc=domain').
> 
> The relevant option in ldapsearch(1) is 
> 
>        -s {base|one|sub|children}
>               Specify the scope of the search to be one of base, one, sub, or
>               children to specify a base object, one-level, subtree, or
>               children search.  The default is sub.  Note: children scope
>               requires LDAPv3 subordinate feature extension.
> 
> However, I still can not print all the objects using `-s children'. Maybe
> I don't have the mentioned feature.

Good to know.
You might want to use some graphical tool like 'Apache Directory
Studio'. I found it quite useful in the past.

>> That's to be expected. The user you use to query the LDAP directory
>> properly has no access to the 'userPassword' attribute of every user;
>> that's why you don't see any passwords for the LDAP users.
> 
> Ok! But is it normal that a `x', instead of an asterisk, is used to
> represent the missing password?

The asterisk signals that password authentication is disabled; see
passwd(5). The 'x' signals that the password is not in '/etc/passwd' (in
your case, it is in the LDAP directory).

>> I'm not sure about this, but if I remember correctly, there is also
>> another PAM module you need in order to authenticate a user against the
>> LDAP directory. The nss-pam-ldapd is only to query data for the NSS.
> 
> I think it's included in nss-pam-ldapd, which should replace both
> security/pam_ldap and net/nss_ldap:
> 
> # pkg info -l nss-pam-ldapd
> nss-pam-ldapd-0.9.12_1:
>         /usr/local/etc/nslcd.conf.sample
>         /usr/local/etc/rc.d/nslcd
>         /usr/local/lib/nss_ldap.so
>         /usr/local/lib/nss_ldap.so.1
>         /usr/local/lib/pam_ldap.so
>         /usr/local/lib/pam_ldap.so.1
>         /usr/local/man/man5/nslcd.conf.5.gz
>         /usr/local/man/man8/nslcd.8.gz
>         /usr/local/man/man8/pam_ldap.8.gz
>         /usr/local/sbin/nslcd
>         /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL21
>         /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL3
>         /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LICENSE
>         /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/catalog.mk
> 
> Both nss_ldap.so and pam_ldap.so are installed with this package.
> In the /etc/pam.d/sshd module example, in fact, I used
> /usr/local/lib/pam_ldap.so.

You are right. The pam_ldap is also configured using the nsldc.conf file.

Regarding your SSH problem:
Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8)).
'use_first_pass' won't prompt for a password. The other one should.

Regards,
Souji

-- 
Souji Thenria