From owner-freebsd-questions@FreeBSD.ORG Sat Feb 26 20:01:23 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F09341065673 for ; Sat, 26 Feb 2011 20:01:23 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id B731D8FC14 for ; Sat, 26 Feb 2011 20:01:23 +0000 (UTC) Received: by iyj12 with SMTP id 12so2065223iyj.13 for ; Sat, 26 Feb 2011 12:01:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=MmHui2+r4bQRkaHOfkPBm9tXtHzJhFWF0SqWdM2wUu8=; b=ofUdN/itGN1hbg+JjTazkHn8d86j1He5WRO6LK8wWxrKppsNdniKRdh8FZ854sAKzI upqRNIxcCAIR+Gc76s474SX3oy33LpS8mQIIxvPSCaVNg5KAdYN88pHq6FdJfCejESvu B80LoW8UBMuoG58drMtUQaNkFeiJJzzL9gO44= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=MarkzEfX3FunO6kPo3wjzBZmmBPwzk9gMNjkHMkQqCHqcdpF7W++nd1jQMOb7vX49J 7UqliNLCqAtxCBTDhE1CMKUpfqSBbfuoQwYEjZW9yd1C4DeYN2jqz7aNJiogm4hWnDK1 UErOCngpfk6j31viRSEfm3eUSZd4Ea/ALmRv0= MIME-Version: 1.0 Received: by 10.42.189.9 with SMTP id dc9mr2613479icb.51.1298750482335; Sat, 26 Feb 2011 12:01:22 -0800 (PST) Received: by 10.42.228.7 with HTTP; Sat, 26 Feb 2011 12:01:22 -0800 (PST) In-Reply-To: References: Date: Sat, 26 Feb 2011 15:01:22 -0500 Message-ID: From: Tim Dunphy To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: pam ssh authentication via ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2011 20:01:24 -0000 Hey list, I just wanted to follow up with my /usr/local/etc/ldap.conf file and nsswitch file because I thought they might be helpful in dispensing advice as to what is going on: uri ldap://LBSD2.summitnjhome.com base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom bindpw secret scope sub pam_password exop nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom nss_base_group dc=3Dsummitnjhome,dc=3Dcom nss_base_sudo dc=3Dsummitnjhome,dc=3Dcom # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: files ldap passwd_compat: files ldap group: files ldap group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy wrote: > Hello List!! > > =A0I have an OpenLDAP 2.4 server functioning very nicely that > authenticates a network of (mostly virtual) centos 5.5 machines. > > =A0But at the moment I am attempting to setup pam authentication for ssh > via LDAP and having some difficulty. > > =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: > > # PAM configuration for the "sshd" service > # > > # auth > auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn no_fake_prompts > auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 = =A0 =A0 no_warn allow_local > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass > auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass > > # account > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so > > # session > #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so > session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so > session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so > > # password > #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 = =A0 =A0 no_warn try_first_pass > password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =A0= =A0 =A0 no_warn try_first_pass > > > And if I'm reading the logs correctly LDAP is searching for and > finding the account information when I am making the login attempt: > > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH > base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 > filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 > ))" > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=3Du= id > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectCla > ss > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 > first=3D106 last=3D137 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D1 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D1 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESULT > tag=3D101 err=3D0 nentries=3D0 text=3D > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: > Feb 26 19:52:54 LBSD2 slapd[54891]: > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input > error=3D-2 id=3D34715, closing. > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying > conn=3D34715 sd=3D212 for close > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (connect= ion lost) > > > But logins fail every time. Could someone offer an opinion as to what > may be going on to prevent logging in via pam/sshd and LDAP? > > Thanks in advance! > Tim > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > --=20 GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B