Re: libnss-pam-ldapd: retrieve password information from an LDAP user?

[Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>]

Hi,
Thank you for you answer. I added

map passwd userPassword userPassword

in /etc/nslcd.conf, but getspnam() function always returns "*" instead of the password hash. What am I missing? Can it be releted to the fact that the userPassword field of the LDAP user on the server are set with the {SSHA} hash?

In general, what is the best/preferred method to authenticate on an LDAP user using the libnss-ldap and nslcd? I am pretty sure it is possible because it should be one of the main features of the package, but I have not yet been able to find an effective method to do this.

Thank you,
best regards.

Andrea.

Il 31/03/2021 23:54, Arthur de Jong ha scritto:

> Hi Andrea,
>
> On Mon, 2021-03-29 at 10:32 +0200, Andrea Sighinolfi wrote:
> > I would like to know if it is possible to read the password from an
> > LDAP user through the glibc function like getpwnam / getspnam. They
> > work for normal local users, but they seems to not work for remote
> > LDAP users.
> >       
> I assume you mean the password hash as it is stored in the userPassword
> attribute in LDAP. By default nslcd only returns "*" as password hash 
> as a security measure (safe default) but you can enable returning the
> actual hash with the following in nslcd.conf:
>
>   map passwd userPassword userPassword
>
>
> For more details see
> https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#map
>
> Hope this helps,
>
>

--

Ing. Andrea Sighinolfi

R&D

SITTI S.p.A.
Via Cadorna, 73
20055 Vimodrone (MI) - ITALY

Phone +39.02.2507121
Mobile +39.xxxxxxxxx

Email:  andrea.sighinolfi [at] sitti.it
Website: www.sitti.it

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

IT: Questo messaggio viene inviato in osservanza al Reg. UE 2016/679. Le ricordiamo che in qualunque momento potrà esercitare i diritti ivi previsti, tra i quali il diritto di conoscere e/o accedere ai dati personali, chiederne la rettifica e l’aggiornamento, chiederne la cancellazione qualora la raccolta sia avvenuta in violazione di legge o regolamento, nonché il diritto di opporsi al trattamento per motivi legittimi e specifici. Potrà inoltre chiedere la trasformazione in forma anonima dei dati personali ed il blocco dell’uso degli stessi ai fini di invio di materiale pubblicitario o vendita diretta o per il compimento di ricerche di mercato o comunicazione commerciale. Per esercitare tali diritti, contattare il titolare del trattamento dei dati: S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at] sitti.it EN: This message is sent in compliance with EU Reg. 2016/679. We remind you that at any time you can exercise your rights therein, including the right to know and/or access personal data, to request their rectification and updating, to request their cancellation if the collection occurred in violation of the law or regulation , as well as the right to oppose the processing for legitimate and specific reasons. You may also request the transformation of personal data into anonymous form and the blocking of sending advertising material or direct sales or for carrying out market research or commercial communication. To exercise these rights, contact S.I.T.T.I. SpA - Via Cadorna 73 - 20090 Vimodrone (MI) - tel.022507121 - email sitti [at] sitti.it

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------