Re: nss_ldap and OpenLDAP client version
Ansar Mohammed wrote: One of the more undocumented things here is to make sure that in your /usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. If not, you will have no end of problems if you ldap server goes down. Basically if you have in your nsswitch.conf: Passwd: files ldap Group: files ldap If your ldap server is down; nss_ldap keeps trying to reconnect and allot of apps just hang; (like top, ls -la etc) Luckily I haven't had the problem of OpenLDAP going down much so I haven't tweaked this option yet (all clients are currently on the same machine). The [fail=continue] switches (can't recall the exact terms) might alleviate that for NSS stuff? When I first read about the parameter my initial reaction was that 'soft' and 'hard' weren't all that intuitive, but maybe thats just me (fail_immediately/retry_on_fail or similar make more sense to me). One area I wasn't too sure of at first is the permissions on /usr/local/etc/ldap.conf (and nss_ldap.conf)... because of the issues I was having, I figured I needed to configure the 'binddn' and 'bindpw' settings to get a proxy user account to bind to LDAP (I was thinking of Solaris' proxy account and Directory Server). But those params require an unhashed password in the file, so I tried to set it only to be readable by root, which doesn't work - it needs to be world-readable. From what I've gleaned you can do away with these settings, if the directory is setup to allow anonymous binds and reading of the required information via an anonymous bind, or otherwise you need to setup an account with very limited read-only privileges on the required entries. One thing I'm still not clear on with the pam_ldap interaction (not so much the name service switch stuff) - a limited user to read username/group name/hostname information etc is fine for NSS, but what about authentication attempts? I'm guessing pam_ldap doesn't use the 'binddn' proxy to compare the hashed passwords, or otherwise you'd be stuck in a situation where you have to have a world readable account/password, and that account can read all password information. I'll up the debugging on slapd and try it for myself, but I think when I last checked it wasn't using the 'rootbinddn' account I'd supplied for authentication attempts (might've been trying to bind anonymously and then as the user's DN directly with the supplied credentials, can't recall, though the latter would make sense to me). Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: nss_ldap and OpenLDAP client version
One of the more undocumented things here is to make sure that in your /usr/local/etc/nss_ldap.conf to make sure that your bind_polcy is soft. If not, you will have no end of problems if you ldap server goes down. Basically if you have in your nsswitch.conf: Passwd: files ldap Group: files ldap If your ldap server is down; nss_ldap keeps trying to reconnect and allot of apps just hang; (like top, ls -la etc) -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Joe Shevland Sent: May 25, 2006 3:33 AM To: freebsd-questions@freebsd.org Subject: nss_ldap and OpenLDAP client version Hi, I'm about to setup my jails so they authenticate against the 'host' server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this before but wanted to repeat the process because last time it ended up being so much fiddling that when I finished I just left it alone - this time I'm documenting it :) I packaged up versions of the port for OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any case) and then went to package up the nss_ldap port but its after OpenLDAP 2.2 stuff... I guess my question is whether this is intentional (i.e. security related), or just a port maintenance issue? I would've thought between 2.2-2.3 there's been a few security advisories... I only did a lazy lightning google and came across a few (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one. Anyway, just thought I'd check. As punishment, if this is a stupid question or has been answered before, happy to write up a tutorial as I go as penance. Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap and OpenLDAP client version
Hi, I'm about to setup my jails so they authenticate against the 'host' server using OpenLDAP and nss_ldap, pam_ldap and so on. I've done this before but wanted to repeat the process because last time it ended up being so much fiddling that when I finished I just left it alone - this time I'm documenting it :) I packaged up versions of the port for OpenLDAP 2.3 (well, actually 2.4 but that looks to just use 2.3 in any case) and then went to package up the nss_ldap port but its after OpenLDAP 2.2 stuff... I guess my question is whether this is intentional (i.e. security related), or just a port maintenance issue? I would've thought between 2.2-2.3 there's been a few security advisories... I only did a lazy lightning google and came across a few (http://www.frsirt.com/english/advisories/2005/0947) is perhaps one. Anyway, just thought I'd check. As punishment, if this is a stupid question or has been answered before, happy to write up a tutorial as I go as penance. Cheers Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
