From nobody Mon Jan 08 23:40:38 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T89YN20sqz57CLl for ; Mon, 8 Jan 2024 23:40:56 +0000 (UTC) (envelope-from rockyhotas@post.com) Received: from mout.gmx.com (mout.gmx.com [74.208.4.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.com", Issuer "GeoTrust TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T89YM3RGtz44Rr for ; Mon, 8 Jan 2024 23:40:55 +0000 (UTC) (envelope-from rockyhotas@post.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=post.com; s=s1089575; t=1704757238; x=1705362038; i=rockyhotas@post.com; bh=KtvzRQwS5XYu9AwoNSsRqQXuLngCRNf6zhOsimNBizU=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=NCVY72rx/ELQzzStoGPuoyhE2g6vcy2Gw+NKZ/nBGdzuxu5MhREYWrTt6kItm7bs 70kAMx4BOntGOkTI7JoA6BaNi6Ia+cqkLNT9E1wxHOfMsz+Syht57EVJC2cFpfmar PgGXAkOLXf3RM3RWiLFdNUBaZ36UyQVG3uDlbaiMP/o5eo2UkR92gZfI4MG5lsNvB Ozxvr13GzunKLGrmYI2gaHYwVNBGPrbD7VWz20Rm2jSWkzzzXxKxIYRhVl4RD1plZ sT9iQwshGbW7Nl9esMGPL39Wfp4VeGTT6JiDWCyPYwBdhDtYaIbXgmbkSuusjSLJS 84zxbOwq4XpycbNW2w== X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a Received: from [91.81.140.248] ([91.81.140.248]) by web-mail.mail.com (3c-app-mailcom-lxa11.server.lan [10.76.45.12]) (via HTTP); Tue, 9 Jan 2024 00:40:38 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-ID: From: Rocky Hotas To: FreeBSD Questions Cc: mail@souji-thenria.net Subject: Re: auth.log error with nss-pam-ldapd in LDAP client Content-Type: text/plain; charset=UTF-8 Date: Tue, 9 Jan 2024 00:40:38 +0100 Importance: normal Sensitivity: Normal In-Reply-To: <59c5a96e-d4b1-4a5e-ae52-a487c8c6e286@souji-thenria.net> References: <1b84e5fa-41c1-471e-80bd-cc7595775ccc@souji-thenria.net> <59c5a96e-d4b1-4a5e-ae52-a487c8c6e286@souji-thenria.net> Content-Transfer-Encoding: quoted-printable X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K1:laJZv5Ba6ciudWhjMvU4juBpFm7azCTmsraJFIbkmY2OGaWRScyD378KwCsUMyPdSv97N 2q0BscdPPJ2kNQmHbclMTUCzWvod4E1+SN7VF5drl+usbziiuqrzZRN3CDPxlvm3TyJeTjzgqvGL vYy/kSmTnECcM9sp1yTx0DvP6xK/8qvhMQ1rPJuW2YfJNzcAZM2kVYYK/X4j2fyBMNr9Yzht4Usj HwPUNVD+1rMUdFgjq/fb2JNEh4fw+bzpYv9AGRnQZgTr3LJh7wzYyyOnSFdWgj89cXmKeYOdS3Db UU= X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:9ojEmaUiaks=;QOzY1lfgwJEa+IPsA081PkFb33U Gqh6SKhQbWAz6C11A0CKflNIQQO5GSZU/Gv6wvBSxDhLtGmsGdnL93mVt9r6L8UU6Mxs65Ero sBNDxfvZeTb+6HkIFpjJ38iveFRkmAOknaEgOjuLBcYjeHqG4GIqUASHH1KpmGZxlV4RySHfX 7ck9BEAc1G+3p0ygzUP8mKQhmpG4frC9mlmZj6HAJMwbwjsAkGdNTqebkOLB15QTmdmUPiWCq 35lc+HlooXiEUx3+/fvNYqwAe5fcye+iORempNHOYzsuhcJxFSHpsM2X2QmMopDNX1nakT/5C qwX7ep36MfCOh/QMB9PfWpmSiW3vYGJMlIJKf3iWkvnUGmg1zLSuhFse0HVGh4/bNhWmZEJPC ICiOh/RBXSj2C62SN6xKbmfHWEMv2oDbdIKE05qmZC28cg08nZdHnOWjHQt+nQGyBhsbh7OCH Xwaj1O6VqDqra6xfBi+dV18C0psUArLAcLhNsq5CN6yh/5nmwxF6yUBtXb9wCMnHWm9AGz2fq IL1RwrmWWJxAhHk0njfORP7YAjgp/gKHKiMKq7UMh+aSR1/Xcn6rN72rfvUgue2YJiwR/sjOR yt8rGiKbEfAQ1hwKl5C1nyTZjoAnslEYGp8Wis207cgCcLTZJLYUl99rmQFrFMkX8drLCOfqI Z6IaukEQ5/dV11J56kmnV4o8AYp/sBb4l1M/KC//A/04f6mOjSPpxmVw8gXGynnS+1RBGOQBN PueMIX/wz3ruL4lpNDp0QnD6smTRKakSybWk78tMJ7a4ibxHUj1oNurqKSZBBcANlM1Fxg9Gi 9464qT/6VBD/5/hZKwDTqm6g== X-Rspamd-Queue-Id: 4T89YM3RGtz44Rr X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8560, ipnet:74.208.0.0/16, country:DE] Hi Souji! > Sent: Monday, January 08, 2024 at 10:41 PM > From: "Souji Thenria" > To: "Rocky Hotas" , "FreeBSD Questions" > Subject: Re: auth=2Elog error with nss-pam-ldapd in LDAP client >=20 > > The relevant option in ldapsearch(1) is=20 > >=20 > > -s=C2=A0{base|one|sub|children} > > Specify the scope of the search to be one of base, one, = sub, or > > children to specify a base object, one-level, subtree, o= r > > children search=2E The default is sub=2E Note: childre= n scope > > requires LDAPv3 subordinate feature extension=2E > >=20 > > However, I still can not print all the objects using `-s children'=2E = Maybe > > I don't have the mentioned feature=2E I have some corrections to make=2E `-s sub', which is the default if `-s' is not specified at all, should already print all the items in the database=2E In my case, the problem was not the depth, but the limit of items=2E Limits are used in LDAP to avoid that clients request excessive resources from the server=2E They can be set from the server (with the global settings olcSizeLimit and olcTimeLimit) and/or from the client=2E In my case, only the client configuration file (/usr/local/etc/openldap/ldap=2Econf) had such limits=2E They were: SIZELIMIT 12 TIMELIMIT 15 Raising the `SIZELIMIT', I can print all the items in my LDAP database, even without specifying `-s'=2E A more detailed discussion is here: > You might want to use some graphical tool like 'Apache Directory > Studio'=2E I found it quite useful in the past=2E I was looking exactly for something similar=2E I can try it, even if I wou= ld prefer something available on CLI (and I could not find anything so far)= =2E > The asterisk signals that password authentication is disabled; see > passwd(5)=2E The 'x' signals that the password is not in '/etc/passwd' (= in > your case, it is in the LDAP directory)=2E Ok! Thanks, also for the reference=2E > You are right=2E The pam_ldap is also configured using the nsldc=2Econf = file=2E >=20 > Regarding your SSH problem: > Replace 'use_first_pass' with 'try_first_pass' (see pam_ldap(8))=2E > 'use_first_pass' won't prompt for a password=2E The other one should=2E It worked! In the developer's documentation `use_first_pass' is suggested, but this may refer to another version of pam, probably for Linux, with different modules and different rules=2E `try_first_pass' definitely makes sense, according to pam_ldap(8)=2E In fact, here on FreeBSD also pam_unix=2Eso uses `try_first_pass'=2E Thank you so much! Rocky