Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Feb 2011 11:10:06 +0000
From:      krad <kraduk@gmail.com>
To:        Tim Dunphy <bluethundr@gmail.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: pam ssh authentication via ldap
Message-ID:  <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com>
In-Reply-To: <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+@mail.gmail.com>
References:  <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV+6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote:
> On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote:
>> Hey list,
>>
>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>> nsswitch file because I thought they might be helpful in dispensing
>> advice as to what is going on:
>>
>> uri ldap://LBSD2.summitnjhome.com
>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
>> bindpw secret
>> scope sub
>> pam_password exop
>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
>>
>>
>> # nsswitch.conf(5) - name service switch configuration file
>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>> kensmith Exp $
>> #
>> passwd: files ldap
>> passwd_compat: files ldap
>> group: files ldap
>> group_compat: nis
>> sudoers: ldap
>> hosts: files dns
>> networks: files
>> shells: files
>> services: compat
>> services_compat: nis
>> protocols: files
>> rpc: files
>>
>>
>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrote=
:
>>> Hello List!!
>>>
>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that
>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>
>>> =A0But at the moment I am attempting to setup pam authentication for ss=
h
>>> via LDAP and having some difficulty.
>>>
>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>
>>> # PAM configuration for the "sshd" service
>>> #
>>>
>>> # auth
>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn no_fake_prompts
>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0=
 =A0 =A0 no_warn allow_local
>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0=
 =A0 =A0 =A0 no_warn try_first_pass
>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 =
=A0 =A0 =A0 =A0no_warn try_first_pass
>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>
>>> # account
>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>>>
>>> # session
>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>>>
>>> # password
>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0=
 =A0 =A0 no_warn try_first_pass
>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>
>>>
>>> And if I'm reading the logs correctly LDAP is searching for and
>>> finding the account information when I am making the login attempt:
>>>
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH
>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001
>>> ))"
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=
=3Duid
>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>> description objectCla
>>> ss
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>> first=3D0 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26
>>> first=3D106 last=3D137
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>> first=3D0 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
>>> first=3D106 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>> first=3D106 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi=
rst=3D0 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>> first=3D0 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 fi=
rst=3D1 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>> first=3D1 last=3D0
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RESU=
LT
>>> tag=3D101 err=3D0 nentries=3D0 text=3D
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>> error=3D-2 id=3D34715, closing.
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>> conn=3D34715 sd=3D212 for close
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>> active_threads=3D0 tvp=3DNULL
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conne=
ction lost)
>>>
>>>
>>> But logins fail every time. Could someone offer an opinion as to what
>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>
>>> Thanks in advance!
>>> Tim
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>
>>
>>
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.=
org"
>>
>
>
>
> these are my files and are from a working setup
>
> # cat /usr/local/etc/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> BASE =A0 =A0dc=3DXXX,dc=3Dnet
> URI =A0 =A0 ldap://XXX.net
>
> #SIZELIMIT =A0 =A0 =A012
> #TIMELIMIT =A0 =A0 =A015
> #DEREF =A0 =A0 =A0 =A0 =A0never
>
> ssl start_tls
> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>
> pam_login_attribute uid
>
> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet
> bind_timelimit 1
> timelimit 1
> bind_policy soft
>
> nss_initgroups_ignoreusers root,slapd,krad
>
>
> # ls -l /usr/local/etc/nss_ldap.conf
> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31
> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>
> # nsswitch.conf
>
>
> group: cache files ldap [notfound=3Dreturn]
> passwd: cache files ldap [notfound=3Dreturn]
>
> these packages are installs
>
> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module
> openldap-client-2.4.23 Open source LDAP client implementation
> openldap-server-2.4.23 Open source LDAP server implementation
> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP
>

and my slapd.conf

security ssf=3D128

TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
#include         /usr/local/etc/openldap/schema/ldapns.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/sudo.schema
logfile /var/log/slapd.log
loglevel stats
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
database        bdb
directory       /var/db/openldap-data
#index uid pres,eq
index cn,sn,uid pres,eq,sub
index objectClass eq
#index sudoUser
suffix  "dc=3DXXX,dc=3Dnet"
rootdn  "cn=3Dkrad,dc=3DXXX,dc=3Dnet"
rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
access to attrs=3DuserPassword
            by self write
            by anonymous auth
            by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
            by * none
access to *
            by self write
            by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
            by * read



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE>