Date: Sun, 27 Feb 2011 20:06:19 -0500 From: Tim Dunphy <bluethundr@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pam ssh authentication via ldap Message-ID: <AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC@mail.gmail.com> In-Reply-To: <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com> References: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B@mail.gmail.com> <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Krad and thank you for your reply!
Well it seems that I am still unable to login to this machine using an
LDAP account. I have tried applying the configurations you have
provided and the result doesn't seem to have changed just yet.
Here is my /usr/local/etc/ldap.conf file
uri ldap://LBSD2.summitnjhome.com
base dc=3Dsummitnjhome,dc=3Dcom
sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
bindpw secret
scope sub
ssl start tls
tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
pam_login_attribute uid
bind_timelimit 1
timelimit 1
bind_policy soft
pam_password exop
nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
nss_base_group dc=3Dsummitnjhome,dc=3Dcom
nss_base_sudo dc=3Dsummitnjhome,dc=3Dcom
nss_initgroups_ignoreusers root,slapd
#ls -l /usr/local/etc/nss_ldap.conf
lrwxr-xr-x 1 root wheel 24 Feb 28 00:10
/usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
#cat /usr/local/etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
passwd: cache files ldap [notfound=3Dreturn]
passwd_compat: files ldap
group: cache files ldap [notfound =3D return]
group_compat: nis
sudoers: ldap
hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Here is my slapd.conf file:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/sudo.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 296
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.cr=
t
TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.=
key
TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_hdb
# moduleload back_ldap
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=3D1 update_ssf=3D112 simple_bind=3D64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=3D"" by * read
access to *
by read
access to attrs=3DuserPassword by self write
by anonymous auth
access to * by self write
by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc=3Dsummitnjhome=
,dc=3Dcom"
write
by users read
by anonymous auth
access to * by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=3Dsummitnjhome,dc=3Dcom"
rootdn "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom"
rootpw {SSHA}secret
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/summitnjhome.com
# Indices to maintain
index objectClass,uid,uidNumber eq
index sudoUser eq
these are the packages I have installed
nss_ldap-1.265_4 RFC 2307 NSS module
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5 A pam module for authenticating with LDAP
And this is what happens in the ldap logs after making those changes:
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH
base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))"
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: OR
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26
first=3D106 last=3D137
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
first=3D106 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D106 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=
=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=
=3D1 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D1 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT
tag=3D101 err=3D0 nentries=3D0 text=3D
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on:
Feb 26 19:58:43 LBSD2 slapd[54891]: 425r
Feb 26 19:58:43 LBSD2 slapd[54891]:
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
This is what's going on in the secure logs:
Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for
user root by bluethundr(uid=3D10001)
And this is my /etc/pam.d/sshd file:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06
kensmith Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_ldap.so
#auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_ldap.so
#account required pam_unix.so
# session
#session optional pam_ssh.so
session sufficient pam_ldap.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_ldap.so
#password required pam_unix.so no_warn try_first_pass
I really appreciate your input Krad and I appreciate any advice anyone may =
have
thanks
tim
On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk@gmail.com> wrote:
> On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote:
>> On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote:
>>> Hey list,
>>>
>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>>> nsswitch file because I thought they might be helpful in dispensing
>>> advice as to what is going on:
>>>
>>> uri ldap://LBSD2.summitnjhome.com
>>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
>>> bindpw secret
>>> scope sub
>>> pam_password exop
>>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
>>>
>>>
>>> # nsswitch.conf(5) - name service switch configuration file
>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>>> kensmith Exp $
>>> #
>>> passwd: files ldap
>>> passwd_compat: files ldap
>>> group: files ldap
>>> group_compat: nis
>>> sudoers: ldap
>>> hosts: files dns
>>> networks: files
>>> shells: files
>>> services: compat
>>> services_compat: nis
>>> protocols: files
>>> rpc: files
>>>
>>>
>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrot=
e:
>>>> Hello List!!
>>>>
>>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that
>>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>>
>>>> =A0But at the moment I am attempting to setup pam authentication for s=
sh
>>>> via LDAP and having some difficulty.
>>>>
>>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>>
>>>> # PAM configuration for the "sshd" service
>>>> #
>>>>
>>>> # auth
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn no_fake_prompts
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =
=A0 =A0 =A0 no_warn allow_local
>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0=
=A0 =A0 =A0 =A0no_warn try_first_pass
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>>
>>>> # account
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>>>>
>>>> # session
>>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
>>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
>>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>>>>
>>>> # password
>>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>>
>>>>
>>>> And if I'm reading the logs correctly LDAP is searching for and
>>>> finding the account information when I am making the login attempt:
>>>>
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH
>>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
>>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001
>>>> ))"
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=
=3Duid
>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>>> description objectCla
>>>> ss
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D2=
6
>>>> first=3D106 last=3D137
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
>>>> first=3D106 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D106 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f=
irst=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f=
irst=3D1 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D1 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RES=
ULT
>>>> tag=3D101 err=3D0 nentries=3D0 text=3D
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>>> error=3D-2 id=3D34715, closing.
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>>> conn=3D34715 sd=3D212 for close
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conn=
ection lost)
>>>>
>>>>
>>>> But logins fail every time. Could someone offer an opinion as to what
>>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>>
>>>> Thanks in advance!
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>
>>>
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>> _______________________________________________
>>> freebsd-questions@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd=
.org"
>>>
>>
>>
>>
>> these are my files and are from a working setup
>>
>> # cat /usr/local/etc/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> BASE =A0 =A0dc=3DXXX,dc=3Dnet
>> URI =A0 =A0 ldap://XXX.net
>>
>> #SIZELIMIT =A0 =A0 =A012
>> #TIMELIMIT =A0 =A0 =A015
>> #DEREF =A0 =A0 =A0 =A0 =A0never
>>
>> ssl start_tls
>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>>
>> pam_login_attribute uid
>>
>> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet
>> bind_timelimit 1
>> timelimit 1
>> bind_policy soft
>>
>> nss_initgroups_ignoreusers root,slapd,krad
>>
>>
>> # ls -l /usr/local/etc/nss_ldap.conf
>> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31
>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>>
>> # nsswitch.conf
>>
>>
>> group: cache files ldap [notfound=3Dreturn]
>> passwd: cache files ldap [notfound=3Dreturn]
>>
>> these packages are installs
>>
>> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module
>> openldap-client-2.4.23 Open source LDAP client implementation
>> openldap-server-2.4.23 Open source LDAP server implementation
>> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP
>>
>
> and my slapd.conf
>
> security ssf=3D128
>
> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche=
ma
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema
> #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema
> logfile /var/log/slapd.log
> loglevel stats
> pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid
> argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args
> modulepath =A0 =A0 =A0/usr/local/libexec/openldap
> moduleload =A0 =A0 =A0back_bdb
> database =A0 =A0 =A0 =A0bdb
> directory =A0 =A0 =A0 /var/db/openldap-data
> #index uid pres,eq
> index cn,sn,uid pres,eq,sub
> index objectClass eq
> #index sudoUser
> suffix =A0"dc=3DXXX,dc=3Dnet"
> rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet"
> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
> access to attrs=3DuserPassword
> =A0 =A0 =A0 =A0 =A0 =A0by self write
> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth
> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
> =A0 =A0 =A0 =A0 =A0 =A0by * none
> access to *
> =A0 =A0 =A0 =A0 =A0 =A0by self write
> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
> =A0 =A0 =A0 =A0 =A0 =A0by * read
>
--=20
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC>