lists.arthurdejong.org
RSS feed

Re: rootpwmoddn seems not be working properly

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: rootpwmoddn seems not be working properly



On Sun, Nov 02, 2014 at 13:25:44 +0100, Arthur de Jong wrote:
> As a precaution nslcd will perform a search after the BIND to ensure
> that the BIND is successful. Some LDAP servers do not return the correct
> error code at BIND but the error is only found after search.
> 
[...]
> Until someone can suggest a good search to perform after authentication
> I'm afraid we're stuck with having to have the rootpwmoddn be a real
> entry in LDAP.

I don't have any personal experience with these issues, but after
reading the description here, I wondered if it would work to add a
configuration option that told nslcd that the BIND operation result
status can be trusted and the post-BIND search isn't necessary.

Of course that would only be appropriate when the LDAP server in use
does return an error at the BIND stage, but in those cases it might be a
way to allow nslcd to function using an admin DN that can log in but
that doesn't actually exist in database (without having to come up with
some other search to use instead of rootpwmoddn itself).

                                                Nathan

----------------------------------------------------------------------------
Nathan Stratton Treadway  -  nathanst@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/