Re: auth.log error with nss-pam-ldapd in LDAP client
Date: Mon, 08 Jan 2024 21:41:19 UTC
Hey Rocky! > The ACLs should be very permissive in this test stage (all the database > should be readable by anyone). But the problem turned out to be exactly > about depth as you mentioned! By referring a single user with its `cn' > I can print all the information about him/her > > ldapsearch -x -b 'dc=examplehost,dc=domain' '(cn=Name Surname)' > > or by referring a group I can print all the child items: > > ldapsearch -x -b 'ou=groups,dc=examplehost,dc=domain' '(objectclass=*)' > > Without any further options, the default is to descend of no more than two > levels from the starting point in the command line (in this last example, > no more than two levels below 'ou=groups,dc=examplehost,dc=domain'). > > The relevant option in ldapsearch(1) is > > -s {base|one|sub|children} > Specify the scope of the search to be one of base, one, sub, or > children to specify a base object, one-level, subtree, or > children search. The default is sub. Note: children scope > requires LDAPv3 subordinate feature extension. > > However, I still can not print all the objects using `-s children'. Maybe > I don't have the mentioned feature. Good to know. You might want to use some graphical tool like 'Apache Directory Studio'. I found it quite useful in the past. >> That's to be expected. The user you use to query the LDAP directory >> properly has no access to the 'userPassword' attribute of every user; >> that's why you don't see any passwords for the LDAP users. > > Ok! But is it normal that a `x', instead of an asterisk, is used to > represent the missing password? The asterisk signals that password authentication is disabled; see passwd(5). The 'x' signals that the password is not in '/etc/passwd' (in your case, it is in the LDAP directory). >> I'm not sure about this, but if I remember correctly, there is also >> another PAM module you need in order to authenticate a user against the >> LDAP directory. The nss-pam-ldapd is only to query data for the NSS. > > I think it's included in nss-pam-ldapd, which should replace both > security/pam_ldap and net/nss_ldap: > > # pkg info -l nss-pam-ldapd > nss-pam-ldapd-0.9.12_1: > /usr/local/etc/nslcd.conf.sample > /usr/local/etc/rc.d/nslcd > /usr/local/lib/nss_ldap.so > /usr/local/lib/nss_ldap.so.1 > /usr/local/lib/pam_ldap.so > /usr/local/lib/pam_ldap.so.1 > /usr/local/man/man5/nslcd.conf.5.gz > /usr/local/man/man8/nslcd.8.gz > /usr/local/man/man8/pam_ldap.8.gz > /usr/local/sbin/nslcd > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL21 > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LGPL3 > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/LICENSE > /usr/local/share/licenses/nss-pam-ldapd-0.9.12_1/catalog.mk > > Both nss_ldap.so and pam_ldap.so are installed with this package. > In the /etc/pam.d/sshd module example, in fact, I used > /usr/local/lib/pam_ldap.so. You are right. The pam_ldap is also configured using the nsldc.conf file. Regarding your SSH problem: Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8)). 'use_first_pass' won't prompt for a password. The other one should. Regards, Souji -- Souji Thenria