From owner-freebsd-questions@FreeBSD.ORG Thu Aug 9 19:24:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CE1E16A418 for ; Thu, 9 Aug 2007 19:24:40 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from typhoon.enabled.com (typhoon.enabled.com [216.218.220.21]) by mx1.freebsd.org (Postfix) with ESMTP id 3C29913C459 for ; Thu, 9 Aug 2007 19:24:40 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from Macintosh-2.local (natint3.juniper.net [66.129.224.36]) (authenticated bits=0) by typhoon.enabled.com (8.14.1/8.14.1) with ESMTP id l79JOcCg057156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 9 Aug 2007 12:24:39 -0700 (PDT) (envelope-from admin2@enabled.com) Message-ID: <46BB69EF.9070400@enabled.com> Date: Thu, 09 Aug 2007 12:24:31 -0700 From: Noah User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: User Questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Issues while authenticating a user over openLDAP using PAM_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2007 19:24:40 -0000 running FreeBSD 6.2 Stable we have openLDAP installed on a server called access1. Users on access1 appear to not be able to ssh to access1. The ssh authentication method uses PAM ldap. PAM_ldap reports "Invalid credentials" in /var/log/messages We have another server called access2 that authenticates to the the ldap server running on access1. those users log in via ssh without issue on access2. I am trying to track down what is broken. I am not even sure how to receive verbose logging from PAM and/or PAM_ldap. Any assistance is much appreciated. Aug 9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid credentials) related rc.conf lines on access1: slapd_enable="YES" slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/" -f /usr/local/etc/openldap/slapd.conf' slapd_sockets="/var/run/openldap/ldapi" sshd_enable="YES" sshd_program="/usr/local/sbin/sshd" access1# cat /etc/pam.d/ldap # debug # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug # debug # PAM configuration for the "sshd" service debug # debug # auth debug auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth required pam_nologin.so no_warn debug auth sufficient pam_opie.so no_warn no_fake_prompts debug auth requisite pam_opieaccess.so no_warn allow_local debug #auth sufficient pam_krb5.so no_warn try_first_pass debug #auth sufficient pam_ssh.so no_warn try_first_pass debug auth required pam_unix.so no_warn try_first_pass debug # account debug #account required pam_krb5.so debug account required pam_login_access.so debug account required pam_unix.so debug # session debug #session optional pam_ssh.so debug session required /usr/local/lib/pam_mkhomedir.so #session required /usr/local/lib/pam_mkhomedir.so skel=/etc/skel/ umask=0077 debug session required pam_permit.so debug # password debug #password sufficient pam_krb5.so no_warn try_first_pass debug password required pam_unix.so no_warn try_first_pass debug access1 [noah@access1 ~]$ pkg_info | grep pam checkpassword-pam-0.99 Implementation of checkpassword authentication program nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for identifying spam pam_ldap-1.8.2 A pam module for authenticating with LDAP pam_mkhomedir-0.1 Create HOME with a PAM module on demand pamtester-0.1.2 A command line pam authentication tester razor-agents-2.84 A distributed, collaborative, spam detection and filtering [noah@access1 ~]$ pkg_info | grep ldap ldapsh-2.00_2,1 Interactive shell used to administer ldap directories nss_ldap-1.255 RFC 2307 NSS module openldap-client-2.3.37 Open source LDAP client implementation openldap-server-2.3.37 Open source LDAP server implementation p5-perl-ldap-0.34 A Client interface to LDAP servers pam_ldap-1.8.2 A pam module for authenticating with LDAP php5-ldap-5.2.3_1 The ldap shared extension for php [noah@access1 ~]$ pkg_info | grep nss nss-3.11.7 Libraries to support development of security-enabled applic nss_ldap-1.255 RFC 2307 NSS module openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH openssl-0.9.8e_1 SSL and crypto library php5-openssl-5.2.3_1 The openssl shared extension for php py25-openssl-0.6 Python interface to the OpenSSL library [noah@access1 ~]$ access2 files [noah@access2 ~]$ pkg_info | grep pam pam_ldap-1.8.2 A pam module for authenticating with LDAP pam_mkhomedir-0.1 Create HOME with a PAM module on demand pamtester-0.1.2 A command line pam authentication tester [noah@access2 ~]$ pkg_info | grep ldap nss_ldap-1.255 RFC 2307 NSS module openldap-client-2.3.37 Open source LDAP client implementation openldap-server-2.3.37 Open source LDAP server implementation pam_ldap-1.8.2 A pam module for authenticating with LDAP [noah@access2 ~]$ pkg_info | grep nss nss_ldap-1.255 RFC 2307 NSS module openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH [noah@access2 ~]$