From owner-freebsd-questions@FreeBSD.ORG  Sat Feb 26 19:55:10 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2AF24106564A
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Feb 2011 19:55:10 +0000 (UTC)
	(envelope-from bluethundr@gmail.com)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id E2D708FC08
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Feb 2011 19:55:09 +0000 (UTC)
Received: by iwn33 with SMTP id 33so2275884iwn.13
	for <freebsd-questions@freebsd.org>;
	Sat, 26 Feb 2011 11:55:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=zp1Y0WewltBFjgLge7ri6UcawXWcZR/vG9hubWP6W/o=;
	b=o73N45zZk6f7dlu3E92SUiEUkmhuHAYYnwwNIwo2iox7fs/dhuwyFUCmCvW9crhEEM
	Sg6HgsIiBG4EeTEiBHSAmzdM9eFMMq7kp9pmYuU34vsxCUI7XYR8byYMDdkmpJ7qMRfy
	XtVQvVv1XhDDSBRY9gr95DfmRblSYIj58zkZw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=XsmqSc1je3aTtrcuxGJ9zlHQRC6kYoU3WEGFHt+FLkWLjpIVCxwStp6kcyBTfd0zc9
	P19ikh1VcCKxyLiIt17ccV4i9uBXV6NSuGWPamTbSfRPPUbYTG6C/fz+b5+ycAWVgCkr
	ShayrN9UxLsVX2eZ6J3vbLcDddlw3FSzN/bXo=
MIME-Version: 1.0
Received: by 10.42.226.202 with SMTP id ix10mr2608496icb.252.1298750108268;
	Sat, 26 Feb 2011 11:55:08 -0800 (PST)
Received: by 10.42.228.7 with HTTP; Sat, 26 Feb 2011 11:55:08 -0800 (PST)
Date: Sat, 26 Feb 2011 14:55:08 -0500
Message-ID: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com>
From: Tim Dunphy <bluethundr@gmail.com>
To: freebsd-questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: pam ssh authentication via ldap
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Feb 2011 19:55:10 -0000

Hello List!!

 I have an OpenLDAP 2.4 server functioning very nicely that
authenticates a network of (mostly virtual) centos 5.5 machines.

 But at the moment I am attempting to setup pam authentication for ssh
via LDAP and having some difficulty.

 My /etc/pam.d/sshd file seems to be setup logically and correctly:

# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_ldap.so
#auth           required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_ldap.so
#account        required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         sufficient      pam_ldap.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_ldap.so
#password       required        pam_unix.so             no_warn try_first_pass


And if I'm reading the logs correctly LDAP is searching for and
finding the account information when I am making the login attempt:

Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
base="dc=summitnjhome,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uidNumber=1001
))"
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectCla
ss
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     OR
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     AND
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
first=106 last=137
Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
Feb 26 19:52:54 LBSD2 slapd[54891]:     EQUALITY
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
first=106 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=106 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=0 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
first=1 last=0
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
Feb 26 19:52:54 LBSD2 slapd[54891]:
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
error=-2 id=34715, closing.
Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
conn=34715 sd=212 for close
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
active_threads=0 tvp=NULL
Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)


But logins fail every time. Could someone offer an opinion as to what
may be going on to prevent logging in via pam/sshd and LDAP?

Thanks in advance!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B