Re: auth.log error with nss-pam-ldapd in LDAP client

In reply to: Souji Thenria : "Re: auth.log error with nss-pam-ldapd in LDAP client"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rocky Hotas <rockyhotas_at_post.com>
Date: Mon, 08 Jan 2024 23:40:38 UTC
Hi Souji!

> Sent: Monday, January 08, 2024 at 10:41 PM
> From: "Souji Thenria" <mail@souji-thenria.net>
> To: "Rocky Hotas" <rockyhotas@post.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org>
> Subject: Re: auth.log error with nss-pam-ldapd in LDAP client
> 
> > The relevant option in ldapsearch(1) is 
> > 
> >        -s {base|one|sub|children}
> >               Specify the scope of the search to be one of base, one, sub, or
> >               children to specify a base object, one-level, subtree, or
> >               children search.  The default is sub.  Note: children scope
> >               requires LDAPv3 subordinate feature extension.
> > 
> > However, I still can not print all the objects using `-s children'. Maybe
> > I don't have the mentioned feature.

I have some corrections to make. `-s sub', which is the default if
`-s' is not specified at all, should already print all the items
in the database. In my case, the problem was not the depth, but
the limit of items. Limits are used in LDAP to avoid that clients
request excessive resources from the server. They can be set from
the server (with the global settings olcSizeLimit and olcTimeLimit)
and/or from the client. In my case, only the client configuration file
(/usr/local/etc/openldap/ldap.conf) had such limits. They were:

SIZELIMIT       12
TIMELIMIT       15

Raising the `SIZELIMIT', I can print all the items in my LDAP database,
even without specifying `-s'.  A more detailed discussion is here:

 <https://www.openldap.org/doc/admin24/limits.html>

> You might want to use some graphical tool like 'Apache Directory
> Studio'. I found it quite useful in the past.

I was looking exactly for something similar. I can try it, even if I would
prefer something available on CLI (and I could not find anything so far).

> The asterisk signals that password authentication is disabled; see
> passwd(5). The 'x' signals that the password is not in '/etc/passwd' (in
> your case, it is in the LDAP directory).

Ok! Thanks, also for the reference.

> You are right. The pam_ldap is also configured using the nsldc.conf file.
> 
> Regarding your SSH problem:
> Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8)).
> 'use_first_pass' won't prompt for a password. The other one should.

It worked! In the developer's documentation

 <https://arthurdejong.org/nss-pam-ldapd/setup>

`use_first_pass' is suggested, but this may refer to another version of
pam, probably for Linux, with different modules and different rules.

`try_first_pass' definitely makes sense, according to pam_ldap(8).
In fact, here on FreeBSD also pam_unix.so uses `try_first_pass'.

Thank you so much!

Rocky