netbsd-help: Re: pam+ldap

Subject: Re: pam+ldap
To: Thierry Lacoste <th.lacoste@wanadoo.fr>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-help
Date: 05/29/2005 16:46:27
--rkP7PWE2Nphkw5Dx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 29, 2005 at 01:27:22PM +0200, Thierry Lacoste wrote:
> I've set up a working ldap server on a Linux box.
> Here's my ldap.conf on my NetBSD-current client:
>=20
> $ cat /usr/pkg/etc/openldap/ldap.conf
<snip>

> I can query the directory from my NetBSD client:
>=20
> $ ldapsearch -x -b "dc=3Dstars,dc=3Dnet" "(objectClass=3D*)"
> # extended LDIF
<snip>

> I built and installed /usr/pkgsrc/security/pam-ldap and
> I added the lines with pam_ldap.so to my /etc/pam.d/su=20
>=20
> $ cat /etc/pam.d/su
<snip>

> But I can't su to the guest account:
>=20
> $ su - guest
> su: unknown login guest
>=20
> There's no ldap traffic on my network interface.
>=20
> What did I miss?

Configuration for pam_ldap, which I guess should take place in
${PKG_SYSCONFDIR}/ldap.conf.

Yes, it is different from the LDAP library's ldap.conf.  It holds
information on where to find the relevant data.

But anyway, it won't work, because you don't have the NSS module to
go along.  Authentication is one thing, but now how does the system
retrieve the UID of the account?  The home directory?

What we need is a NSS module (while PADL's PAM module might work
out of the pkgsrc with OpenPAM, the NSS module will not work with our
libc).

Anybody who wants to help in the LDAP area for NetBSD: do *not* port
PADL's LDAP module.  Write one from scratch, it's likely to have less
bugs even typing blind with the toes.  It is a PITA at my work place,
but I haven't got around making time to write a module yet (RedHat
added a few more bugs in their patches to make things worse).

I might be exaggerating a bit, but it has a few serious flaws and the
code is barely readable.

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"When I find the controls, I'll go where I like, I'll know where I want
to be, but maybe for now I'll stay right here on a silent sea."
KT Tunstall, Silent Sea, Eye to the Telescope, 2004.

--rkP7PWE2Nphkw5Dx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQpnVw9goQloHrPnoAQJ0sAgAgDzJI9Ky9SwGRP9lBG/VP+fx9JNtBTan
qh7RGEucWKI0/Z+672spcSOjMXqK8kJ4o+QwLgvsu49958mZ27N7QVK+HtVqZRPQ
015VphL2QZIrAC8/MdLwscMTNo/VYGBl6LkXyJcH2bkNuU0wYz5Hamw6TewZ9YOg
PD6/OJg+DZDOg/1XOb+fFk3hhRKh3/wdNCC5vlWT4R0aJItssHq8XflpgeAPkUa3
08oMd4grEF/qL0xN1p+08UaKpZ0y4kz6IKp+h1Zo31bPsenwHQ1bLQSz85DAD+QS
d3qA95Q9RMFILN8eFBto5m58CMbpC4vRgK1zY44jBpSZ74K+vvdtCg==
=dYG0
-----END PGP SIGNATURE-----

--rkP7PWE2Nphkw5Dx--