lists.arthurdejong.org
RSS feed

Re: libnss-pam-ldapd: retrieve password information from an LDAP user?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: libnss-pam-ldapd: retrieve password information from an LDAP user?



On Thu, 2021-04-01 at 09:26 +0200, Andrea Sighinolfi wrote:
> I added 
> map passwd userPassword userPassword
> in /etc/nslcd.conf, but getspnam() function always returns "*"
> instead of the password hash. What am I missing? Can it be releted to
> the fact that the userPassword field of the LDAP user on the server
> are set with the {SSHA} hash?

Sorry, forgot that you also have to add

map shadow userPassword userPassword

because the shadow lookup is separate from the passwd lookup. You can
also choose to only map the passwd map and disable shadow lookups to
ldap in nsswitch.conf.

> In general, what is the best/preferred method to authenticate on an
> LDAP user using the libnss-ldap and nslcd? I am pretty sure it is
> possible because it should be one of the main features of the
> package, but I have not yet been able to find an effective method to
> do this.

The most common set-up is to have both the configuration in
nsswitch.conf and in the PAM stack. How the PAM stack is configured
differs widely between distributions. For some pointers see
https://arthurdejong.org/nss-pam-ldapd/setup

Some Linux distributions (e.g. Slackware) don't have PAM so you have to
expose the password hash with the mechanism above.

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --