Re: libnss-pam-ldapd: retrieve password information from an LDAP user?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: libnss-pam-ldapd: retrieve password information from an LDAP user?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: libnss-pam-ldapd: retrieve password information from an LDAP user?
- Date: Mon, 05 Apr 2021 14:15:54 +0200
On Thu, 2021-04-01 at 09:26 +0200, Andrea Sighinolfi wrote:
> I added
> map passwd userPassword userPassword
> in /etc/nslcd.conf, but getspnam() function always returns "*"
> instead of the password hash. What am I missing? Can it be releted to
> the fact that the userPassword field of the LDAP user on the server
> are set with the {SSHA} hash?
Sorry, forgot that you also have to add
map shadow userPassword userPassword
because the shadow lookup is separate from the passwd lookup. You can
also choose to only map the passwd map and disable shadow lookups to
ldap in nsswitch.conf.
> In general, what is the best/preferred method to authenticate on an
> LDAP user using the libnss-ldap and nslcd? I am pretty sure it is
> possible because it should be one of the main features of the
> package, but I have not yet been able to find an effective method to
> do this.
The most common set-up is to have both the configuration in
nsswitch.conf and in the PAM stack. How the PAM stack is configured
differs widely between distributions. For some pointers see
https://arthurdejong.org/nss-pam-ldapd/setup
Some Linux distributions (e.g. Slackware) don't have PAM so you have to
expose the password hash with the mechanism above.
Kind regards,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
