Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Feb 2011 14:55:08 -0500
From:      Tim Dunphy <bluethundr@gmail.com>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   pam ssh authentication via ldap
Message-ID:  <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello List!!

 I have an OpenLDAP 2.4 server functioning very nicely that
authenticates a network of (mostly virtual) centos 5.5 machines.

 But at the moment I am attempting to setup pam authentication for ssh
via LDAP and having some difficulty.

 My /etc/pam.d/sshd file seems to be setup logically and correctly:

# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_ldap.so
#auth           required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_ldap.so
#account        required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         sufficient      pam_ldap.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_ldap.so
#password       required        pam_unix.so             no_warn try_first_pass


And if I'm reading the logs correctly LDAP is searching for and
finding the account information when I am making the login attempt:

Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
base="dc=summitnjhome,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uidNumber=1001
))"
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectCla
ss
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     OR
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
first=106 last=137
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
first=106 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=106 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=1 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
Feb 26 19:52:54 LBSD2 slapd[54891]:
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
error=-2 id=34715, closing.
Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
conn=34715 sd=212 for close
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)


But logins fail every time. Could someone offer an opinion as to what
may be going on to prevent logging in via pam/sshd and LDAP?

Thanks in advance!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0>