Date: Sat, 26 Feb 2011 15:01:22 -0500 From: Tim Dunphy <bluethundr@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pam ssh authentication via ldap Message-ID: <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com> In-Reply-To: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> References: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey list, I just wanted to follow up with my /usr/local/etc/ldap.conf file and nsswitch file because I thought they might be helpful in dispensing advice as to what is going on: uri ldap://LBSD2.summitnjhome.com base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom bindpw secret scope sub pam_password exop nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom nss_base_group dc=3Dsummitnjhome,dc=3Dcom nss_base_sudo dc=3Dsummitnjhome,dc=3Dcom # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: files ldap passwd_compat: files ldap group: files ldap group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrote: > Hello List!! > > =A0I have an OpenLDAP 2.4 server functioning very nicely that > authenticates a network of (mostly virtual) centos 5.5 machines. > > =A0But at the moment I am attempting to setup pam authentication for ssh > via LDAP and having some difficulty. > > =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: > > # PAM configuration for the "sshd" service > # > > # auth > auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn no_fake_prompts > auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 = =A0 =A0 no_warn allow_local > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass > auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass > > # account > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so > > # session > #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so > session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so > session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so > > # password > #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 = =A0 =A0 no_warn try_first_pass > password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =A0= =A0 =A0 no_warn try_first_pass > > > And if I'm reading the logs correctly LDAP is searching for and > finding the account information when I am making the login attempt: > > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH > base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 > filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 > ))" > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=3Du= id > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectCla > ss > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 > first=3D106 last=3D137 > Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D1 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D1 last=3D0 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESULT > tag=3D101 err=3D0 nentries=3D0 text=3D > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: > Feb 26 19:52:54 LBSD2 slapd[54891]: > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input > error=3D-2 id=3D34715, closing. > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying > conn=3D34715 sd=3D212 for close > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (connect= ion lost) > > > But logins fail every time. Could someone offer an opinion as to what > may be going on to prevent logging in via pam/sshd and LDAP? > > Thanks in advance! > Tim > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > --=20 GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5>