From owner-freebsd-questions@FreeBSD.ORG Sun Feb 27 11:05:39 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B5A91065675 for ; Sun, 27 Feb 2011 11:05:39 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 2AA028FC21 for ; Sun, 27 Feb 2011 11:05:38 +0000 (UTC) Received: by wwb31 with SMTP id 31so3925313wwb.31 for ; Sun, 27 Feb 2011 03:05:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rg36UknkTuRd4hiOtCeDREumVS5Avhww7y7i+uM6iF4=; b=Sw7Bt+Z6LR5G2/G4isvjX9hYOV8f54HMExev4c0SbAYGEZtn2uF8Gy6h0T9/zTod2g VoVaSO9NpBJUHEcFWoS77gknppL7S/ItqI1ssE4mpOJ/ob4+YJzZv7yWw2v7djNT2xWz 49RLfE4lRrZGQQHAlOStBx7Br/xbDUB+y3B8w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xJwN8cFHwr0v4+ZmC5rA/XzxGPVb4mMvGbKHW9e8QvwssNmWur/MPGcJWNJH4Uai/R Bx4T1i2ebWnY+MQVVn1TT1dppRtnf8bUhWXX74W8cWOUWFuiN3NVXB8wC2sORdxMGm+X b1zqrFtu1ZTLExeFzNrr3afYawjH3NFl/i3aI= MIME-Version: 1.0 Received: by 10.216.180.77 with SMTP id i55mr3597135wem.76.1298804736995; Sun, 27 Feb 2011 03:05:36 -0800 (PST) Received: by 10.216.80.147 with HTTP; Sun, 27 Feb 2011 03:05:36 -0800 (PST) In-Reply-To: References: Date: Sun, 27 Feb 2011 11:05:36 +0000 Message-ID: From: krad To: Tim Dunphy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions Subject: Re: pam ssh authentication via ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Feb 2011 11:05:39 -0000 On 26 February 2011 20:01, Tim Dunphy wrote: > Hey list, > > I just wanted to follow up with my /usr/local/etc/ldap.conf file and > nsswitch file because I thought they might be helpful in dispensing > advice as to what is going on: > > uri ldap://LBSD2.summitnjhome.com > base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom > sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom > binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom > bindpw secret > scope sub > pam_password exop > nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom > nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom > nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom > nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom > > > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > passwd: files ldap > passwd_compat: files ldap > group: files ldap > group_compat: nis > sudoers: ldap > hosts: files dns > networks: files > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > > On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy wrote: >> Hello List!! >> >> =A0I have an OpenLDAP 2.4 server functioning very nicely that >> authenticates a network of (mostly virtual) centos 5.5 machines. >> >> =A0But at the moment I am attempting to setup pam authentication for ssh >> via LDAP and having some difficulty. >> >> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >> >> # PAM configuration for the "sshd" service >> # >> >> # auth >> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn no_fake_prompts >> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 = =A0 =A0 no_warn allow_local >> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass >> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >> >> # account >> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >> >> # session >> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >> >> # password >> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 = =A0 =A0 no_warn try_first_pass >> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >> >> >> And if I'm reading the logs correctly LDAP is searching for and >> finding the account information when I am making the login attempt: >> >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >> ))" >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=3D= uid >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >> description objectCla >> ss >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >> first=3D0 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 >> first=3D106 last=3D137 >> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >> first=3D0 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >> first=3D106 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >> first=3D106 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fir= st=3D0 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >> first=3D0 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fir= st=3D1 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >> first=3D1 last=3D0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESUL= T >> tag=3D101 err=3D0 nentries=3D0 text=3D >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >> Feb 26 19:52:54 LBSD2 slapd[54891]: >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >> error=3D-2 id=3D34715, closing. >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >> conn=3D34715 sd=3D212 for close >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >> active_threads=3D0 tvp=3DNULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (connec= tion lost) >> >> >> But logins fail every time. Could someone offer an opinion as to what >> may be going on to prevent logging in via pam/sshd and LDAP? >> >> Thanks in advance! >> Tim >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > these are my files and are from a working setup # cat /usr/local/etc/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=3DXXX,dc=3Dnet URI ldap://XXX.net #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls tls_cacert /usr/local/etc/openldap/ssl/cert.crt pam_login_attribute uid sudoers_base ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet bind_timelimit 1 timelimit 1 bind_policy soft nss_initgroups_ignoreusers root,slapd,krad # ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Jan 16 22:31 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf # nsswitch.conf group: cache files ldap [notfound=3Dreturn] passwd: cache files ldap [notfound=3Dreturn] these packages are installs nss_ldap-1.265_4 RFC 2307 NSS module openldap-client-2.4.23 Open source LDAP client implementation openldap-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.6 A pam module for authenticating with LDAP