From owner-freebsd-questions@FreeBSD.ORG Mon Feb 28 01:06:20 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2381F1065672 for ; Mon, 28 Feb 2011 01:06:20 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id DC7C98FC18 for ; Mon, 28 Feb 2011 01:06:19 +0000 (UTC) Received: by iwn33 with SMTP id 33so3029336iwn.13 for ; Sun, 27 Feb 2011 17:06:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=RKE5W+XsCQl23T/tKa22e428Vncfd/GKrtF8L+AHPMg=; b=tpRga0cxWjlK+Os9DJmZbzI+WTzGwC4zPGq+kcCeWsxELsRtsXwUeT2RQLxl5EkMuM XwonoM69CbrIgCVzQk1jgzovBF5LBpeOvp4hcRNk3e9dPGkXUQ5NQC64LswFMh166bfO CIrbIlbbmvY06RmIV+jAqUjDhbD+JLOwewHR8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=equOYqkjAza80jyQlPnO7DMe2hvXf3b0AcVvjal7knNYXnl/fsZ4/L1IrzhkNsuMio MbeNPjXcFzpC0lSDMuBM0aj3CNbyLtWkNbFFT0M4jO3MKXlAi5+Ozb8t9ba/QVTBS/o6 /pM5K03a51GZrMjW7y3TgpgMDoTPRcuFRUfE0= MIME-Version: 1.0 Received: by 10.42.171.136 with SMTP id j8mr4124350icz.520.1298855179144; Sun, 27 Feb 2011 17:06:19 -0800 (PST) Received: by 10.42.219.199 with HTTP; Sun, 27 Feb 2011 17:06:19 -0800 (PST) In-Reply-To: References: Date: Sun, 27 Feb 2011 20:06:19 -0500 Message-ID: From: Tim Dunphy To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: pam ssh authentication via ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 01:06:20 -0000 Hello Krad and thank you for your reply! Well it seems that I am still unable to login to this machine using an LDAP account. I have tried applying the configurations you have provided and the result doesn't seem to have changed just yet. Here is my /usr/local/etc/ldap.conf file uri ldap://LBSD2.summitnjhome.com base dc=3Dsummitnjhome,dc=3Dcom sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom bindpw secret scope sub ssl start tls tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt pam_login_attribute uid bind_timelimit 1 timelimit 1 bind_policy soft pam_password exop nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom nss_base_group dc=3Dsummitnjhome,dc=3Dcom nss_base_sudo dc=3Dsummitnjhome,dc=3Dcom nss_initgroups_ignoreusers root,slapd #ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Feb 28 00:10 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf #cat /usr/local/etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: cache files ldap [notfound=3Dreturn] passwd_compat: files ldap group: cache files ldap [notfound =3D return] group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files Here is my slapd.conf file: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/sudo.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.cr= t TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.= key TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb # moduleload back_hdb # moduleload back_ldap # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=3D1 update_ssf=3D112 simple_bind=3D64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base=3D"" by * read access to * by read access to attrs=3DuserPassword by self write by anonymous auth access to * by self write by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc=3Dsummitnjhome= ,dc=3Dcom" write by users read by anonymous auth access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=3Dsummitnjhome,dc=3Dcom" rootdn "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" rootpw {SSHA}secret # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/summitnjhome.com # Indices to maintain index objectClass,uid,uidNumber eq index sudoUser eq these are the packages I have installed nss_ldap-1.265_4 RFC 2307 NSS module openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP And this is what happens in the ldap logs after making those changes: Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))" Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: OR Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 first=3D106 last=3D137 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=3D106 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D106 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first= =3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first= =3D1 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D1 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT tag=3D101 err=3D0 nentries=3D0 text=3D Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on: Feb 26 19:58:43 LBSD2 slapd[54891]: 425r Feb 26 19:58:43 LBSD2 slapd[54891]: Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425 Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 This is what's going on in the secure logs: Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for user root by bluethundr(uid=3D10001) And this is my /etc/pam.d/sshd file: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_ldap.so #auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_ldap.so #account required pam_unix.so # session #session optional pam_ssh.so session sufficient pam_ldap.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_ldap.so #password required pam_unix.so no_warn try_first_pass I really appreciate your input Krad and I appreciate any advice anyone may = have thanks tim On Sun, Feb 27, 2011 at 6:10 AM, krad wrote: > On 27 February 2011 11:05, krad wrote: >> On 26 February 2011 20:01, Tim Dunphy wrote: >>> Hey list, >>> >>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >>> nsswitch file because I thought they might be helpful in dispensing >>> advice as to what is going on: >>> >>> uri ldap://LBSD2.summitnjhome.com >>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom >>> bindpw secret >>> scope sub >>> pam_password exop >>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom >>> >>> >>> # nsswitch.conf(5) - name service switch configuration file >>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >>> kensmith Exp $ >>> # >>> passwd: files ldap >>> passwd_compat: files ldap >>> group: files ldap >>> group_compat: nis >>> sudoers: ldap >>> hosts: files dns >>> networks: files >>> shells: files >>> services: compat >>> services_compat: nis >>> protocols: files >>> rpc: files >>> >>> >>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy wrot= e: >>>> Hello List!! >>>> >>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that >>>> authenticates a network of (mostly virtual) centos 5.5 machines. >>>> >>>> =A0But at the moment I am attempting to setup pam authentication for s= sh >>>> via LDAP and having some difficulty. >>>> >>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >>>> >>>> # PAM configuration for the "sshd" service >>>> # >>>> >>>> # auth >>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn no_fake_prompts >>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so = =A0 =A0 =A0 no_warn allow_local >>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0= =A0 =A0 =A0 =A0no_warn try_first_pass >>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>>> >>>> # account >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >>>> >>>> # session >>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >>>> >>>> # password >>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>>> >>>> >>>> And if I'm reading the logs correctly LDAP is searching for and >>>> finding the account information when I am making the login attempt: >>>> >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >>>> ))" >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr= =3Duid >>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>>> description objectCla >>>> ss >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D2= 6 >>>> first=3D106 last=3D137 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >>>> first=3D106 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D106 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f= irst=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f= irst=3D1 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D1 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RES= ULT >>>> tag=3D101 err=3D0 nentries=3D0 text=3D >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>>> error=3D-2 id=3D34715, closing. >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>>> conn=3D34715 sd=3D212 for close >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conn= ection lost) >>>> >>>> >>>> But logins fail every time. Could someone offer an opinion as to what >>>> may be going on to prevent logging in via pam/sshd and LDAP? >>>> >>>> Thanks in advance! >>>> Tim >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> >>> >>> >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= .org" >>> >> >> >> >> these are my files and are from a working setup >> >> # cat /usr/local/etc/ldap.conf >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> BASE =A0 =A0dc=3DXXX,dc=3Dnet >> URI =A0 =A0 ldap://XXX.net >> >> #SIZELIMIT =A0 =A0 =A012 >> #TIMELIMIT =A0 =A0 =A015 >> #DEREF =A0 =A0 =A0 =A0 =A0never >> >> ssl start_tls >> tls_cacert /usr/local/etc/openldap/ssl/cert.crt >> >> pam_login_attribute uid >> >> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet >> bind_timelimit 1 >> timelimit 1 >> bind_policy soft >> >> nss_initgroups_ignoreusers root,slapd,krad >> >> >> # ls -l /usr/local/etc/nss_ldap.conf >> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31 >> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf >> >> # nsswitch.conf >> >> >> group: cache files ldap [notfound=3Dreturn] >> passwd: cache files ldap [notfound=3Dreturn] >> >> these packages are installs >> >> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module >> openldap-client-2.4.23 Open source LDAP client implementation >> openldap-server-2.4.23 Open source LDAP server implementation >> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP >> > > and my slapd.conf > > security ssf=3D128 > > TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key > TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche= ma > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema > #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema > logfile /var/log/slapd.log > loglevel stats > pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid > argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args > modulepath =A0 =A0 =A0/usr/local/libexec/openldap > moduleload =A0 =A0 =A0back_bdb > database =A0 =A0 =A0 =A0bdb > directory =A0 =A0 =A0 /var/db/openldap-data > #index uid pres,eq > index cn,sn,uid pres,eq,sub > index objectClass eq > #index sudoUser > suffix =A0"dc=3DXXX,dc=3Dnet" > rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet" > rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa > access to attrs=3DuserPassword > =A0 =A0 =A0 =A0 =A0 =A0by self write > =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth > =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write > =A0 =A0 =A0 =A0 =A0 =A0by * none > access to * > =A0 =A0 =A0 =A0 =A0 =A0by self write > =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write > =A0 =A0 =A0 =A0 =A0 =A0by * read > --=20 GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B