From owner-freebsd-questions@FreeBSD.ORG Sun Feb 27 11:10:08 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9E2C1065678 for ; Sun, 27 Feb 2011 11:10:08 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 71C108FC1A for ; Sun, 27 Feb 2011 11:10:08 +0000 (UTC) Received: by wyb32 with SMTP id 32so3437535wyb.13 for ; Sun, 27 Feb 2011 03:10:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zt7E4usySQN1eq7DAqBtUlonyJhF1mPfKEz5FVy+38s=; b=PKyXg1BXaiLaWF3ZEgOY7l65+Ao6snXfOEU/3v7u+67RPq2z3YBExGSXZrUYJ8oHCY 6mlZljx6Q6QReHtbk7MBuoYsQaCOeF30N/LrLGxv/omcGuNuiARof94WkbojLs0Yxh3u 0e0wX8VCrQpwlnbO51Tk5KrSotmaMUm8aaYTE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=AeOeW54tzH33rWNpgkQbUL1N+ubyyVIT9G9rrWucU8YPs0mDc76SqWw4igGgRxYI4h kAAs7cX5dh4WU1WGOeD/7GQR97ER9aUtnHjhNKPbrmuzDMn6J4eN7Nsg6MZzpZnP89jI aByass7gHtpp3ugds+w2sMiylT7nL8MMk1Zao= MIME-Version: 1.0 Received: by 10.216.47.71 with SMTP id s49mr1131545web.106.1298805006646; Sun, 27 Feb 2011 03:10:06 -0800 (PST) Received: by 10.216.80.147 with HTTP; Sun, 27 Feb 2011 03:10:06 -0800 (PST) In-Reply-To: References: Date: Sun, 27 Feb 2011 11:10:06 +0000 Message-ID: From: krad To: Tim Dunphy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions Subject: Re: pam ssh authentication via ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Feb 2011 11:10:09 -0000 On 27 February 2011 11:05, krad wrote: > On 26 February 2011 20:01, Tim Dunphy wrote: >> Hey list, >> >> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >> nsswitch file because I thought they might be helpful in dispensing >> advice as to what is going on: >> >> uri ldap://LBSD2.summitnjhome.com >> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom >> bindpw secret >> scope sub >> pam_password exop >> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom >> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom >> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom >> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom >> >> >> # nsswitch.conf(5) - name service switch configuration file >> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >> kensmith Exp $ >> # >> passwd: files ldap >> passwd_compat: files ldap >> group: files ldap >> group_compat: nis >> sudoers: ldap >> hosts: files dns >> networks: files >> shells: files >> services: compat >> services_compat: nis >> protocols: files >> rpc: files >> >> >> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy wrote= : >>> Hello List!! >>> >>> =A0I have an OpenLDAP 2.4 server functioning very nicely that >>> authenticates a network of (mostly virtual) centos 5.5 machines. >>> >>> =A0But at the moment I am attempting to setup pam authentication for ss= h >>> via LDAP and having some difficulty. >>> >>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >>> >>> # PAM configuration for the "sshd" service >>> # >>> >>> # auth >>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn no_fake_prompts >>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0= =A0 =A0 no_warn allow_local >>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass >>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass >>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>> >>> # account >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >>> >>> # session >>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >>> >>> # password >>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0= =A0 =A0 no_warn try_first_pass >>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>> >>> >>> And if I'm reading the logs correctly LDAP is searching for and >>> finding the account information when I am making the login attempt: >>> >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >>> ))" >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr= =3Duid >>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>> description objectCla >>> ss >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 >>> first=3D106 last=3D137 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >>> first=3D106 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D106 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi= rst=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi= rst=3D1 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D1 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESU= LT >>> tag=3D101 err=3D0 nentries=3D0 text=3D >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>> error=3D-2 id=3D34715, closing. >>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>> conn=3D34715 sd=3D212 for close >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conne= ction lost) >>> >>> >>> But logins fail every time. Could someone offer an opinion as to what >>> may be going on to prevent logging in via pam/sshd and LDAP? >>> >>> Thanks in advance! >>> Tim >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> >> >> >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >> > > > > these are my files and are from a working setup > > # cat /usr/local/etc/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > BASE =A0 =A0dc=3DXXX,dc=3Dnet > URI =A0 =A0 ldap://XXX.net > > #SIZELIMIT =A0 =A0 =A012 > #TIMELIMIT =A0 =A0 =A015 > #DEREF =A0 =A0 =A0 =A0 =A0never > > ssl start_tls > tls_cacert /usr/local/etc/openldap/ssl/cert.crt > > pam_login_attribute uid > > sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet > bind_timelimit 1 > timelimit 1 > bind_policy soft > > nss_initgroups_ignoreusers root,slapd,krad > > > # ls -l /usr/local/etc/nss_ldap.conf > lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31 > /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf > > # nsswitch.conf > > > group: cache files ldap [notfound=3Dreturn] > passwd: cache files ldap [notfound=3Dreturn] > > these packages are installs > > nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module > openldap-client-2.4.23 Open source LDAP client implementation > openldap-server-2.4.23 Open source LDAP server implementation > pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP > and my slapd.conf security ssf=3D128 TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema #include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/sudo.schema logfile /var/log/slapd.log loglevel stats pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb database bdb directory /var/db/openldap-data #index uid pres,eq index cn,sn,uid pres,eq,sub index objectClass eq #index sudoUser suffix "dc=3DXXX,dc=3Dnet" rootdn "cn=3Dkrad,dc=3DXXX,dc=3Dnet" rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa access to attrs=3DuserPassword by self write by anonymous auth by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write by * none access to * by self write by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write by * read