freebsd stable - Feb 2006 - nss_ldap problem

I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
I have a problem -- login success only if {CRYPT} mechanism used in
ldap database. Other services, authenticated in ldap, work fine
(pam_ldap, apache auth for example).

My configs:
/etc/pam.d/system
# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok
# account
account		required	pam_login_access.so
account		required	/usr/local/lib/pam_ldap.so	ignore_authinfo_unavail
ignore_unknown_user
account		required	pam_unix.so
# session
session		required	/usr/local/lib/pam_mkhomedir.so	skel=/etc/skel umask=0077
session		required	pam_lastlog.so		no_fail
# password
password	sufficient	/usr/local/lib/pam_ldap.so	use_authtok
password	required	pam_unix.so		no_warn try_first_pass

/etc/nsswitch.conf
group: ldap files
hosts: files dns
networks: files
passwd: ldap files
shells: files
imap: ldap

/usr/local/etc/ldap.conf
uri ldaps://fbsd
base ou=users,o=oil-space
ldap_version 3
scope one
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password md5
nss_base_passwd ou=users,o=oil-space?one
nss_base_shadow ou=users,o=oil-space?one
nss_base_group ou=groups,o=oil-space?one
ssl on
tls_cacertfile /usr/local/etc/ssl/cacert.pem

uname -rs && ls -l /usr/local/etc/nss_ldap.conf && pkg_info -Ix
nss_ldap -x pam_ldap
FreeBSD 5.4-STABLE
lrwxr-xr-x  1 root  wheel  24 Feb 22 16:41 /usr/local/etc/nss_ldap.conf ->
/usr/local/etc/ldap.conf
nss_ldap-1.244      RFC 2307 NSS module
pam_ldap-1.8.0      A pam module for authenticating with LDAP

Is somebody have the same problems?

WBR
-- 
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com

On 26. feb. 2006, at 09.14, Dmitriy Kirhlarov wrote:
> I use nss_ldap-1.239 and nss_ldap-1.244 on 5.4 and 6.0
> I have a problem -- login success only if {CRYPT} mechanism used in
> ldap database. Other services, authenticated in ldap, work fine
> (pam_ldap, apache auth for example).
pam_ldap authenticates the user by attempting to bind to the LDAP  
server using the users credentials. So what type of encryption used  
should not make any difference.

However, I have observed configurations on Linux where authentication  
is done through nss_ldap instead of pam_ldap. What actually happends  
then is that nss_ldap fetches the password from the database and  
pam_unix does the authentiaction work.

If this is the case in your setup, the encryption chosen would matter  
as pam_unix probably does not support all the modes that OpenLDAP has.

You could try to remove pam_ldap from your setup, and leave nss_ldap  
active and see if you still can log in?

What does your ACL's look like?

I have this as one of my first ACL's:
access to attr=userPassword
	by self write
	by anonymous auth
	by * none

This makes sure that no one can read the password from the directory,  
but allows a user to change his own password, and to authenticate by  
binding to the LDAP server.

[snip]
> /etc/nsswitch.conf
> group: ldap files
> hosts: files dns
> networks: files
> passwd: ldap files
> shells: files
> imap: ldap
Why do you have "ldap" first? I would use "files ldap" in
any case so
local changes can override the directory.

Frode Nordahl
frode@nordahl.net