From owner-freebsd-questions@FreeBSD.ORG Fri Oct 1 14:41:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C312816A4CF for ; Fri, 1 Oct 2004 14:41:33 +0000 (GMT) Received: from 9.hellooperator.net (cpc3-cdif2-3-0-cust202.cdif.cable.ntl.com [81.103.32.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id E532543D5F for ; Fri, 1 Oct 2004 14:41:32 +0000 (GMT) (envelope-from rasputin@hellooperator.net) Received: from rasputin by 9.hellooperator.net with local (Exim 4.42) id 1CDOaG-0006U1-6K; Fri, 01 Oct 2004 15:40:32 +0100 Date: Fri, 1 Oct 2004 15:40:32 +0100 From: Dick Davies To: Bret Walker Message-ID: <20041001144031.GF29161@lb.tenfour> References: <20041001140131.GD29161@lb.tenfour> <00ea01c4a7c2$62661dd0$b1336981@medill.northwestern.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00ea01c4a7c2$62661dd0$b1336981@medill.northwestern.edu> User-Agent: Mutt/1.4.2.1i Sender: Rasputin cc: FreeBSD Questions Subject: Re: Pam_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dick Davies List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2004 14:41:33 -0000 * Bret Walker [1023 15:23]: > I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf The one in /etc isn't doing anything, so get rid of it. The /usr/local/etc/ldap.conf should be holding the ad stuff (what user to bind as , etc). > I am able to log into the console as these users using the local password, > but not using the ldap password. All of my pam info is in /etc/pam.conf, > I don't have /etc/pam.d. Then you're on 4.X right? Shouldn't stop this working. > > sshd auth sufficient pam_skey.so > sshd auth sufficient pam_opie.so no_fake_prompts > sshd auth sufficient pam_unix.so try_first_pass > sshd auth sufficient /usr/local/lib/pam_ldap.so > try_first_pass debug > sshd account required pam_unix.so > sshd password required pam_permit.so > sshd session required pam_permit.co > > > All I see in the logs are messages saying: > "error: PAM: User not known to the underlying authentication module" Right, so sshd is using pam. That's something. The error could mean several things, one of which is that the user doesn't exist. If you look through your ldap.conf, you should have enough info to pretend to be PAM. use ldapsearch and try ldapsearch -H "ldap:// -D "" -W \ =username and enter the bindpw from ldap.conf If you don't get the AD account back, then your ldap.conf is screwed. > I'm pretty sure the ldap.conf files are correct, because I've followed the > instructions from several places to the T. "The nice thing about definitive LDAP howtos is there are so many to choose from" :) -- You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns