Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Feb 2011 10:31:54 +0000
From:      krad <kraduk@gmail.com>
To:        Tim Dunphy <bluethundr@gmail.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: pam ssh authentication via ldap
Message-ID:  <AANLkTinNTXFSBgKDm-40UbqLt4CAZwmwr=oS-HYTk9XT@mail.gmail.com>
In-Reply-To: <AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC@mail.gmail.com>
References:  <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV+6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+@mail.gmail.com> <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com> <AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 28 February 2011 01:06, Tim Dunphy <bluethundr@gmail.com> wrote:
> Hello Krad and thank you for your reply!
>
>
> Well it seems that I am still unable to login to this machine using an
> LDAP account. I have tried applying the configurations you have
> provided and the result doesn't seem to have changed just yet.
>
> =A0Here is my /usr/local/etc/ldap.conf file
>
>
> uri ldap://LBSD2.summitnjhome.com
> base dc=3Dsummitnjhome,dc=3Dcom
> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
> bindpw secret
> scope sub
> ssl start tls
> tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
> pam_login_attribute uid
> bind_timelimit 1
> timelimit 1
> bind_policy soft
> pam_password exop
> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
> nss_initgroups_ignoreusers root,slapd
>
>
>
> =A0#ls -l /usr/local/etc/nss_ldap.conf
> lrwxr-xr-x =A01 root =A0wheel =A024 Feb 28 00:10
> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>
>
> #cat /usr/local/etc/nsswitch.conf
> #
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
> kensmith Exp $
> #
> passwd: cache files ldap [notfound=3Dreturn]
> passwd_compat: files ldap
> group: cache files ldap [notfound =3D return]
> group_compat: nis
> sudoers: ldap
> hosts: files dns
> networks: files
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> Here is my slapd.conf file:
>
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche=
ma
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/openldap.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/misc.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/openssh-lpk_openld=
ap.schema
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral =A0 =A0 =A0 ldap://root.openldap.org
>
> loglevel =A0 =A0 =A0 =A0296
> pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid
> argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args
>
> ## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile =A0/usr/local/etc/openldap/certs/LBSD2.summitnjhome.co=
m.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.co=
m.key
> TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt
>
> # Load dynamic backend modules:
> modulepath =A0 =A0 =A0/usr/local/libexec/openldap
> moduleload =A0 =A0 =A0back_bdb
> # moduleload =A0 =A0back_hdb
> # moduleload =A0 =A0back_ldap
>
> # Sample security restrictions
> # =A0 =A0 =A0 Require integrity protection (prevent hijacking)
> # =A0 =A0 =A0 Require 112-bit (3DES or better) encryption for updates
> # =A0 =A0 =A0 Require 63-bit encryption for simple bind
> # security ssf=3D1 update_ssf=3D112 simple_bind=3D64
>
> # Sample access control policy:
> # =A0 =A0 =A0 Root DSE: allow anyone to read it
> # =A0 =A0 =A0 Subschema (sub)entry DSE: allow anyone to read it
> # =A0 =A0 =A0 Other DSEs:
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow self write access
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow authenticated users read access
> # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow anonymous users to authenticate
> # =A0 =A0 =A0 Directives needed to implement policy:
> # access to dn.base=3D"" by * read
> access to *
> =A0 =A0 =A0 =A0 =A0by read
>
> access to attrs=3DuserPassword by self write
> =A0 =A0 =A0 =A0 =A0by anonymous auth
>
> access to * by self write
> =A0 =A0 =A0 =A0 =A0 =A0by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc=
=3Dsummitnjhome,dc=3Dcom"
> write
> =A0 =A0 =A0 =A0 =A0 =A0by users read
> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth
>
> access to * by self write
> =A0 =A0 =A0 =A0 =A0 =A0by users read
> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. =A0(e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database =A0 =A0 =A0 =A0bdb
> suffix =A0 =A0 =A0 =A0 =A0"dc=3Dsummitnjhome,dc=3Dcom"
> rootdn =A0 =A0 =A0 =A0 =A0"cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom"
> rootpw =A0 =A0 =A0 =A0 =A0{SSHA}secret
>
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. =A0See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory =A0 =A0 =A0 /var/db/summitnjhome.com
> # Indices to maintain
> index =A0 objectClass,uid,uidNumber =A0 =A0 =A0 eq
> index =A0 sudoUser =A0 =A0 =A0 =A0eq
>
>
> these are the packages I have installed
>
>
> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module
> openldap-sasl-client-2.4.23 Open source LDAP client implementation
> with SASL2 support
> openldap-sasl-server-2.4.23 Open source LDAP server implementation
> pam_ldap-1.8.5 =A0 =A0 =A0A pam module for authenticating with LDAP
>
>
> And this is what happens in the ldap logs after making those changes:
>
>
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH
> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))"
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 OR
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
> first=3D0 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26
> first=3D106 last=3D137
> Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
> first=3D0 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
> first=3D106 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
> first=3D106 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs=
t=3D0 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
> first=3D0 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs=
t=3D1 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
> first=3D1 last=3D0
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT
> tag=3D101 err=3D0 nentries=3D0 text=3D
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on:
> Feb 26 19:58:43 LBSD2 slapd[54891]: =A0425r
> Feb 26 19:58:43 LBSD2 slapd[54891]:
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
> active_threads=3D0 tvp=3DNULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
>
> This is what's going on in the secure logs:
>
> Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for
> user root by bluethundr(uid=3D10001)
>
> And this is my /etc/pam.d/sshd file:
>
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06
> kensmith Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =A0=
 =A0 =A0 =A0 no_warn no_fake_prompts
> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 =
=A0 =A0 no_warn allow_local
> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 =
=A0 =A0 =A0 =A0no_warn try_first_pass
> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0=
 =A0 =A0 =A0 no_warn try_first_pass
>
> # account
> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>
> # session
> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>
> # password
> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 =
=A0 =A0 no_warn try_first_pass
> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =A0=
 =A0 =A0 no_warn try_first_pass
>
>
> I really appreciate your input Krad and I appreciate any advice anyone ma=
y have
>
> thanks
> tim
>
>
> On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk@gmail.com> wrote:
>> On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote:
>>> On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote:
>>>> Hey list,
>>>>
>>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>>>> nsswitch file because I thought they might be helpful in dispensing
>>>> advice as to what is going on:
>>>>
>>>> uri ldap://LBSD2.summitnjhome.com
>>>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
>>>> bindpw secret
>>>> scope sub
>>>> pam_password exop
>>>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
>>>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
>>>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
>>>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
>>>>
>>>>
>>>> # nsswitch.conf(5) - name service switch configuration file
>>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>>>> kensmith Exp $
>>>> #
>>>> passwd: files ldap
>>>> passwd_compat: files ldap
>>>> group: files ldap
>>>> group_compat: nis
>>>> sudoers: ldap
>>>> hosts: files dns
>>>> networks: files
>>>> shells: files
>>>> services: compat
>>>> services_compat: nis
>>>> protocols: files
>>>> rpc: files
>>>>
>>>>
>>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wro=
te:
>>>>> Hello List!!
>>>>>
>>>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that
>>>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>>>
>>>>> =A0But at the moment I am attempting to setup pam authentication for =
ssh
>>>>> via LDAP and having some difficulty.
>>>>>
>>>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>>>
>>>>> # PAM configuration for the "sshd" service
>>>>> #
>>>>>
>>>>> # auth
>>>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0=
 =A0 =A0 =A0 =A0 no_warn no_fake_prompts
>>>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =
=A0 =A0 =A0 no_warn allow_local
>>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =
=A0 =A0 =A0 =A0 =A0no_warn try_first_pass
>>>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0=
 =A0 =A0 =A0 =A0 no_warn try_first_pass
>>>>>
>>>>> # account
>>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
>>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
>>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
>>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
>>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>>>>>
>>>>> # session
>>>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
>>>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
>>>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>>>>>
>>>>> # password
>>>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0=
 =A0 =A0 =A0 no_warn try_first_pass
>>>>>
>>>>>
>>>>> And if I'm reading the logs correctly LDAP is searching for and
>>>>> finding the account information when I am making the login attempt:
>>>>>
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH
>>>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
>>>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001
>>>>> ))"
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=
=3Duid
>>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>>>> description objectCla
>>>>> ss
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
0
>>>>> first=3D0 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
26
>>>>> first=3D106 last=3D137
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
0
>>>>> first=3D0 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
>>>>> first=3D106 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
0
>>>>> first=3D106 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 =
first=3D0 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
0
>>>>> first=3D0 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 =
first=3D1 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D=
0
>>>>> first=3D1 last=3D0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RE=
SULT
>>>>> tag=3D101 err=3D0 nentries=3D0 text=3D
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>>>> error=3D-2 id=3D34715, closing.
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>>>> conn=3D34715 sd=3D212 for close
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>>> active_threads=3D0 tvp=3DNULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (con=
nection lost)
>>>>>
>>>>>
>>>>> But logins fail every time. Could someone offer an opinion as to what
>>>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>>>
>>>>> Thanks in advance!
>>>>> Tim
>>>>>
>>>>> --
>>>>> GPG me!!
>>>>>
>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>> _______________________________________________
>>>> freebsd-questions@freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebs=
d.org"
>>>>
>>>
>>>
>>>
>>> these are my files and are from a working setup
>>>
>>> # cat /usr/local/etc/ldap.conf
>>> #
>>> # LDAP Defaults
>>> #
>>>
>>> # See ldap.conf(5) for details
>>> # This file should be world readable but not world writable.
>>>
>>> BASE =A0 =A0dc=3DXXX,dc=3Dnet
>>> URI =A0 =A0 ldap://XXX.net
>>>
>>> #SIZELIMIT =A0 =A0 =A012
>>> #TIMELIMIT =A0 =A0 =A015
>>> #DEREF =A0 =A0 =A0 =A0 =A0never
>>>
>>> ssl start_tls
>>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>>>
>>> pam_login_attribute uid
>>>
>>> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet
>>> bind_timelimit 1
>>> timelimit 1
>>> bind_policy soft
>>>
>>> nss_initgroups_ignoreusers root,slapd,krad
>>>
>>>
>>> # ls -l /usr/local/etc/nss_ldap.conf
>>> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31
>>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>>>
>>> # nsswitch.conf
>>>
>>>
>>> group: cache files ldap [notfound=3Dreturn]
>>> passwd: cache files ldap [notfound=3Dreturn]
>>>
>>> these packages are installs
>>>
>>> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module
>>> openldap-client-2.4.23 Open source LDAP client implementation
>>> openldap-server-2.4.23 Open source LDAP server implementation
>>> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP
>>>
>>
>> and my slapd.conf
>>
>> security ssf=3D128
>>
>> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
>> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sch=
ema
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema
>> #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema
>> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema
>> logfile /var/log/slapd.log
>> loglevel stats
>> pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid
>> argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args
>> modulepath =A0 =A0 =A0/usr/local/libexec/openldap
>> moduleload =A0 =A0 =A0back_bdb
>> database =A0 =A0 =A0 =A0bdb
>> directory =A0 =A0 =A0 /var/db/openldap-data
>> #index uid pres,eq
>> index cn,sn,uid pres,eq,sub
>> index objectClass eq
>> #index sudoUser
>> suffix =A0"dc=3DXXX,dc=3Dnet"
>> rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet"
>> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
>> access to attrs=3DuserPassword
>> =A0 =A0 =A0 =A0 =A0 =A0by self write
>> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth
>> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
>> =A0 =A0 =A0 =A0 =A0 =A0by * none
>> access to *
>> =A0 =A0 =A0 =A0 =A0 =A0by self write
>> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
>> =A0 =A0 =A0 =A0 =A0 =A0by * read
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>

haha sorry i completely forgot about the pam files, here is mine. You
definitely need to be explicit with the path of the ldap module

[root@carrera /home/krad]# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1 2009/08/03 08:13:06 kensmith Exp=
 $
#
# PAM configuration for the "sshd" service
#

# auth
auth  		sufficient  	/usr/local/lib/pam_ldap.so  no_warn
try_first_pass   ignore_authinfo_unavail
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass
#auth  		sufficient  	/usr/local/lib/pam_ldap.so  no_warn
try_first_pass ignore_authinfo_unavail

# account
account		required	pam_nologin.so
#account 	required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so
account         required        /usr/local/lib/pam_ldap.so
no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session 	optional	pam_ssh.so
session		required	pam_permit.so
session		required	/usr/local/lib/pam_mkhomedir.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTinNTXFSBgKDm-40UbqLt4CAZwmwr=oS-HYTk9XT>