nss_ldap seems to not work

Jan Bramkamp crest at rlwinm.de
Tue Nov 8 12:30:52 UTC 2016


On 08/11/2016 09:00, Anthony Pankov via freebsd-hackers wrote:
> Greetings.
>
> nss_ldap seems to not work correctly at least at FreeBSD 10.3.

The original PADL nss_ldap and pam_ldap modules have been effectively 
unmaintained by the upstream for years. They inject a lot of code into 
each process using either NSS or PAM. Do yourself a favor and move on to 
net/nss-pam-ldapd(-sasl) which is maintained and moved most of the logic 
and all of network communication to a dedicated daemon process. See 
https://arthurdejong.org/nss-pam-ldapd/design for more details.

> Two  configurations
> 1. FreeBSD 9.2
> 2. FreeBSD 10.3
> sharing  nss_ldap  settings  and  using  the  same  LDAP  tree (DIT) produce
> different results.
>
> At    FreeBSD   10.3   nss_ldap  can't  enumerate  supplementary  user
> groups.
>
> Example:
> FreeBSD 9.2:
>                 # id user1
>                  ... groups=basegroup,gr1,gr2,gr3
> FreeBSD 10.3:
>                 # id user1
>                  ... groups=basegroup
>
> The  effect is inadequate result of initgroups() calling which lead to
> various side effects with permissions.
>
> P.S.  Interesting  fact.  At  FreeBSD  10.3 pw utility produce correct
> result:
>         #pw usershow user1
>         ... groups=basegroup,gr1,gr2,gr3
>

I suspect that there is a regression in the old nss_ldap module. At this 
time I would be surprised if anyone wanted to touch the old code with a 
ten foot pole.

-- Jan Bramkamp


More information about the freebsd-hackers mailing list