Date: Sun, 27 Feb 2011 11:10:06 +0000 From: krad <kraduk@gmail.com> To: Tim Dunphy <bluethundr@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pam ssh authentication via ldap Message-ID: <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com> In-Reply-To: <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B@mail.gmail.com> References: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote: > On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote: >> Hey list, >> >> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >> nsswitch file because I thought they might be helpful in dispensing >> advice as to what is going on: >> >> uri ldap://LBSD2.summitnjhome.com >> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom >> bindpw secret >> scope sub >> pam_password exop >> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom >> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom >> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom >> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom >> >> >> # nsswitch.conf(5) - name service switch configuration file >> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >> kensmith Exp $ >> # >> passwd: files ldap >> passwd_compat: files ldap >> group: files ldap >> group_compat: nis >> sudoers: ldap >> hosts: files dns >> networks: files >> shells: files >> services: compat >> services_compat: nis >> protocols: files >> rpc: files >> >> >> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrote= : >>> Hello List!! >>> >>> =A0I have an OpenLDAP 2.4 server functioning very nicely that >>> authenticates a network of (mostly virtual) centos 5.5 machines. >>> >>> =A0But at the moment I am attempting to setup pam authentication for ss= h >>> via LDAP and having some difficulty. >>> >>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >>> >>> # PAM configuration for the "sshd" service >>> # >>> >>> # auth >>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn no_fake_prompts >>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0= =A0 =A0 no_warn allow_local >>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass >>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass >>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>> >>> # account >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >>> >>> # session >>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >>> >>> # password >>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0= =A0 =A0 no_warn try_first_pass >>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>> >>> >>> And if I'm reading the logs correctly LDAP is searching for and >>> finding the account information when I am making the login attempt: >>> >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >>> ))" >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr= =3Duid >>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>> description objectCla >>> ss >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 >>> first=3D106 last=3D137 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >>> first=3D106 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D106 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi= rst=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D0 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi= rst=3D1 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>> first=3D1 last=3D0 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESU= LT >>> tag=3D101 err=3D0 nentries=3D0 text=3D >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>> error=3D-2 id=3D34715, closing. >>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>> conn=3D34715 sd=3D212 for close >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>> active_threads=3D0 tvp=3DNULL >>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conne= ction lost) >>> >>> >>> But logins fail every time. Could someone offer an opinion as to what >>> may be going on to prevent logging in via pam/sshd and LDAP? >>> >>> Thanks in advance! >>> Tim >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> >> >> >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.= org" >> > > > > these are my files and are from a working setup > > # cat /usr/local/etc/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > BASE =A0 =A0dc=3DXXX,dc=3Dnet > URI =A0 =A0 ldap://XXX.net > > #SIZELIMIT =A0 =A0 =A012 > #TIMELIMIT =A0 =A0 =A015 > #DEREF =A0 =A0 =A0 =A0 =A0never > > ssl start_tls > tls_cacert /usr/local/etc/openldap/ssl/cert.crt > > pam_login_attribute uid > > sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet > bind_timelimit 1 > timelimit 1 > bind_policy soft > > nss_initgroups_ignoreusers root,slapd,krad > > > # ls -l /usr/local/etc/nss_ldap.conf > lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31 > /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf > > # nsswitch.conf > > > group: cache files ldap [notfound=3Dreturn] > passwd: cache files ldap [notfound=3Dreturn] > > these packages are installs > > nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module > openldap-client-2.4.23 Open source LDAP client implementation > openldap-server-2.4.23 Open source LDAP server implementation > pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP > and my slapd.conf security ssf=3D128 TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema #include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/sudo.schema logfile /var/log/slapd.log loglevel stats pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb database bdb directory /var/db/openldap-data #index uid pres,eq index cn,sn,uid pres,eq,sub index objectClass eq #index sudoUser suffix "dc=3DXXX,dc=3Dnet" rootdn "cn=3Dkrad,dc=3DXXX,dc=3Dnet" rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa access to attrs=3DuserPassword by self write by anonymous auth by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write by * none access to * by self write by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write by * read
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE>