Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Feb 2011 11:05:36 +0000
From:      krad <kraduk@gmail.com>
To:        Tim Dunphy <bluethundr@gmail.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: pam ssh authentication via ldap
Message-ID:  <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+@mail.gmail.com>
In-Reply-To: <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV+6XOtmonDA5@mail.gmail.com>
References:  <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV+6XOtmonDA5@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote:
> Hey list,
>
> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
> nsswitch file because I thought they might be helpful in dispensing
> advice as to what is going on:
>
> uri ldap://LBSD2.summitnjhome.com
> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
> bindpw secret
> scope sub
> pam_password exop
> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
>
>
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
> kensmith Exp $
> #
> passwd: files ldap
> passwd_compat: files ldap
> group: files ldap
> group_compat: nis
> sudoers: ldap
> hosts: files dns
> networks: files
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
>
> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrote:
>> Hello List!!
>>
>> =A0I have an OpenLDAP 2.4 server functioning very nicely that
>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>
>> =A0But at the moment I am attempting to setup pam authentication for ssh
>> via LDAP and having some difficulty.
>>
>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>
>> # PAM configuration for the "sshd" service
>> #
>>
>> # auth
>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn no_fake_prompts
>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 =
=A0 =A0 no_warn allow_local
>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 =
=A0 =A0 =A0 =A0no_warn try_first_pass
>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>
>> # account
>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>>
>> # session
>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>>
>> # password
>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 =
=A0 =A0 no_warn try_first_pass
>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>
>>
>> And if I'm reading the logs correctly LDAP is searching for and
>> finding the account information when I am making the login attempt:
>>
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH
>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001
>> ))"
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=3D=
uid
>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>> description objectCla
>> ss
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>> first=3D0 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26
>> first=3D106 last=3D137
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>> first=3D0 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
>> first=3D106 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>> first=3D106 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fir=
st=3D0 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>> first=3D0 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fir=
st=3D1 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>> first=3D1 last=3D0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESUL=
T
>> tag=3D101 err=3D0 nentries=3D0 text=3D
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>> error=3D-2 id=3D34715, closing.
>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>> conn=3D34715 sd=3D212 for close
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>> active_threads=3D0 tvp=3DNULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (connec=
tion lost)
>>
>>
>> But logins fail every time. Could someone offer an opinion as to what
>> may be going on to prevent logging in via pam/sshd and LDAP?
>>
>> Thanks in advance!
>> Tim
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>



these are my files and are from a working setup

# cat /usr/local/etc/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=3DXXX,dc=3Dnet
URI     ldap://XXX.net

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

ssl start_tls
tls_cacert /usr/local/etc/openldap/ssl/cert.crt

pam_login_attribute uid

sudoers_base   ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet
bind_timelimit 1
timelimit 1
bind_policy soft

nss_initgroups_ignoreusers root,slapd,krad


# ls -l /usr/local/etc/nss_ldap.conf
lrwxr-xr-x  1 root  wheel  24 Jan 16 22:31
/usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf

# nsswitch.conf


group: cache files ldap [notfound=3Dreturn]
passwd: cache files ldap [notfound=3Dreturn]

these packages are installs

nss_ldap-1.265_4    RFC 2307 NSS module
openldap-client-2.4.23 Open source LDAP client implementation
openldap-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.6      A pam module for authenticating with LDAP



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+>