nss_ldap seems to not work
Jan Bramkamp
crest at rlwinm.de
Tue Nov 8 12:30:52 UTC 2016
On 08/11/2016 09:00, Anthony Pankov via freebsd-hackers wrote:
> Greetings.
>
> nss_ldap seems to not work correctly at least at FreeBSD 10.3.
The original PADL nss_ldap and pam_ldap modules have been effectively
unmaintained by the upstream for years. They inject a lot of code into
each process using either NSS or PAM. Do yourself a favor and move on to
net/nss-pam-ldapd(-sasl) which is maintained and moved most of the logic
and all of network communication to a dedicated daemon process. See
https://arthurdejong.org/nss-pam-ldapd/design for more details.
> Two configurations
> 1. FreeBSD 9.2
> 2. FreeBSD 10.3
> sharing nss_ldap settings and using the same LDAP tree (DIT) produce
> different results.
>
> At FreeBSD 10.3 nss_ldap can't enumerate supplementary user
> groups.
>
> Example:
> FreeBSD 9.2:
> # id user1
> ... groups=basegroup,gr1,gr2,gr3
> FreeBSD 10.3:
> # id user1
> ... groups=basegroup
>
> The effect is inadequate result of initgroups() calling which lead to
> various side effects with permissions.
>
> P.S. Interesting fact. At FreeBSD 10.3 pw utility produce correct
> result:
> #pw usershow user1
> ... groups=basegroup,gr1,gr2,gr3
>
I suspect that there is a regression in the old nss_ldap module. At this
time I would be surprised if anyone wanted to touch the old code with a
ten foot pole.
-- Jan Bramkamp
More information about the freebsd-hackers
mailing list