Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 May 2006 10:16:15 -0400
From:      Jason Lixfeld <jason+lists.freebsd-questions@lixfeld.ca>
To:        Atom Powers <atom.powers@gmail.com>
Cc:        FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Trouble with nss|pam|openldap
Message-ID:  <71C11F58-32D9-4EBF-B35E-F1730184B706@lixfeld.ca>
In-Reply-To: <df9ac37c0605231748n4e3abbb4he8829f2edfe264dc@mail.gmail.com>
References:  <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> <df9ac37c0605231748n4e3abbb4he8829f2edfe264dc@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 23-May-06, at 8:48 PM, Atom Powers wrote:

> On 5/23/06, Jason Lixfeld <jason+lists.freebsd- 
> questions@lixfeld.ca> wrote:
>> I'm using openssh-portable and the latest versions of openldap,
>> pam_ldap and nss_ldap.  It appears as though the system is using
> ...
>
> I'm not using ssh-portable, but I have it working with the built-in  
> ssh.

built-in works?  Interesting.  Reason I'm using -portable was because  
I read that the built-in ssh didn't support PAM.

I will try the built-in and see what happens.

> ...
>> user password, even after I enter it in.  I tried putting the
>> pam_ldap lib in the password section of the /etc/pam.d/sshd file, but
>> that was useless too.  Local users can ssh in fine.
>
> The pam.d config would be my first guess. What gets logged to all.log?

I have no all.log currently.  The only thing showing up in messages  
though is:

May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP  
server - Server is unavailable

That error seems to creep up only when I restart slapd though.

>>
>> I searched through the bugs and it seems there is a bug in nss_ldap
>> with regards to getpwuid, but that seems to be more if an indicator
>> about why finger doesn't work, not why ssh does't work
>>
>> # id testuser seems to work, finger doesn't.  Curious.  Anyway, it
>> still appears as though at least some portions of the system are
>> using LDAP, which is good.
>> $ id testuser
>> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
>> $ finger testuser
>> finger: testuser: no such user
>> $
>
> id works because it's using the name service to look up the user (you
> added ldap to your nsswitch.conf, right?)
>
> finger doesn't work because you don't have a /etc/pam.d/finger file.
> Either create one or add pam_ldap to your /etc/pam.d/system file. (I
> always create a new conf file for my ldap enabled apps)

Interesting.  Finger *did* work during some of my first attempts at  
getting this working.  I changed something (I don't recall what) and  
then finger stopped working.

> Here is my /etc/pam.d/sshd file, I use the exact same file for all my
> ldap enabled apps.:
> (if somebody sees a bug in there, or can suggest any improvement, by
> all means let me know.)
> --
>
> # auth
> auth            sufficient      /usr/local/lib/pam_ldap.so
> auth            required        pam_nologin.so          no_warn
> auth            sufficient      pam_opie.so             no_warn  
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn  
> allow_local
> #auth           sufficient      pam_krb5.so             no_warn  
> try_first_pass
> #auth           sufficient      pam_ssh.so              no_warn  
> try_first_pass
> auth            required        pam_unix.so             no_warn  
> try_first_pass
>
> # account
> account         sufficient      /usr/local/lib/pam_ldap.so
> #account        required        pam_krb5.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
>
> # session
> #session        optional        pam_ssh.so
> session         required        pam_permit.so
>
> # password
> #password       sufficient      pam_krb5.so             no_warn  
> try_first_pass
> password        required        pam_unix.so             no_warn  
> try_first_pass

This seems to all work now with built-in ssh.  How strange.

Now, I seem to have hit another snag and a bug (Both of which I  
remember reading about this in my travels:)

$id testuser
id: testuser: no such user
# sudo su
Password:
# id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
# cd ~testuser
# pwd
/usr/home/testuser
#ssh testuser@localhost
%id testuser
id: testuser: no such user
%pwd
/usr/home/testuser
%ls -al
Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL),  
function do_init, file ldap-nss.c, line 1193.
Abort (core dumped)
%

> -- 
> --
> Perfection is just a word I use occasionally with mustard.
> --Atom Powers--
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71C11F58-32D9-4EBF-B35E-F1730184B706>