Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Feb 2011 20:06:19 -0500
From:      Tim Dunphy <bluethundr@gmail.com>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: pam ssh authentication via ldap
Message-ID:  <AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC@mail.gmail.com>
In-Reply-To: <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com>
References:  <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV+6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs+@mail.gmail.com> <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hello Krad and thank you for your reply!


Well it seems that I am still unable to login to this machine using an
LDAP account. I have tried applying the configurations you have
provided and the result doesn't seem to have changed just yet.

 Here is my /usr/local/etc/ldap.conf file


uri ldap://LBSD2.summitnjhome.com
base dc=3Dsummitnjhome,dc=3Dcom
sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
bindpw secret
scope sub
ssl start tls
tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
pam_login_attribute uid
bind_timelimit 1
timelimit 1
bind_policy soft
pam_password exop
nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
nss_base_group  dc=3Dsummitnjhome,dc=3Dcom
nss_base_sudo   dc=3Dsummitnjhome,dc=3Dcom
nss_initgroups_ignoreusers root,slapd



 #ls -l /usr/local/etc/nss_ldap.conf
lrwxr-xr-x  1 root  wheel  24 Feb 28 00:10
/usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf


#cat /usr/local/etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
passwd: cache files ldap [notfound=3Dreturn]
passwd_compat: files ldap
group: cache files ldap [notfound =3D return]
group_compat: nis
sudoers: ldap
hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Here is my slapd.conf file:


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

loglevel        296
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

## TLS options for slapd
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile  /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.cr=
t
TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.=
key
TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt

# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
# moduleload	back_hdb
# moduleload	back_ldap

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=3D1 update_ssf=3D112 simple_bind=3D64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base=3D"" by * read
access to *
	  by read

access to attrs=3DuserPassword by self write
          by anonymous auth

access to * by self write
            by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc=3Dsummitnjhome=
,dc=3Dcom"
write
            by users read
            by anonymous auth

access to * by self write
            by users read
            by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=3Dsummitnjhome,dc=3Dcom"
rootdn		"cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom"
rootpw          {SSHA}secret

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/db/summitnjhome.com
# Indices to maintain
index	objectClass,uid,uidNumber	eq
index   sudoUser        eq


these are the packages I have installed


nss_ldap-1.265_4    RFC 2307 NSS module
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5      A pam module for authenticating with LDAP


And this is what happens in the ldap logs after making those changes:


Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH
base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))"
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	AND
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	OR
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	AND
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26
first=3D106 last=3D137
Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
Feb 26 19:58:43 LBSD2 slapd[54891]: 	EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
first=3D106 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D106 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=
=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D0 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=
=3D1 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
first=3D1 last=3D0
Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT
tag=3D101 err=3D0 nentries=3D0 text=3D
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on:
Feb 26 19:58:43 LBSD2 slapd[54891]:  425r
Feb 26 19:58:43 LBSD2 slapd[54891]:
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: AND
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7
active_threads=3D0 tvp=3DNULL
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list
Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0

This is what's going on in the secure logs:

Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for
user root by bluethundr(uid=3D10001)

And this is my /etc/pam.d/sshd file:

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06
kensmith Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth            required        pam_ldap.so
#auth		required	pam_unix.so		no_warn try_first_pass

# account
account		required	pam_nologin.so
#account 	required	pam_krb5.so
account		required	pam_login_access.so
account         required        pam_ldap.so
#account	required	pam_unix.so

# session
#session 	optional	pam_ssh.so
session         sufficient      pam_ldap.so
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password        required        pam_ldap.so
#password	required	pam_unix.so		no_warn try_first_pass


I really appreciate your input Krad and I appreciate any advice anyone may =
have

thanks
tim


On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk@gmail.com> wrote:
> On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote:
>> On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote:
>>> Hey list,
>>>
>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>>> nsswitch file because I thought they might be helpful in dispensing
>>> advice as to what is going on:
>>>
>>> uri ldap://LBSD2.summitnjhome.com
>>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom
>>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom
>>> bindpw secret
>>> scope sub
>>> pam_password exop
>>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom
>>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom
>>>
>>>
>>> # nsswitch.conf(5) - name service switch configuration file
>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>>> kensmith Exp $
>>> #
>>> passwd: files ldap
>>> passwd_compat: files ldap
>>> group: files ldap
>>> group_compat: nis
>>> sudoers: ldap
>>> hosts: files dns
>>> networks: files
>>> shells: files
>>> services: compat
>>> services_compat: nis
>>> protocols: files
>>> rpc: files
>>>
>>>
>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrot=
e:
>>>> Hello List!!
>>>>
>>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that
>>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>>
>>>> =A0But at the moment I am attempting to setup pam authentication for s=
sh
>>>> via LDAP and having some difficulty.
>>>>
>>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>>
>>>> # PAM configuration for the "sshd" service
>>>> #
>>>>
>>>> # auth
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn no_fake_prompts
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =
=A0 =A0 =A0 no_warn allow_local
>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0=
 =A0 =A0 =A0 =A0no_warn try_first_pass
>>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =
=A0 =A0 =A0 =A0 no_warn try_first_pass
>>>>
>>>> # account
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so
>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so
>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so
>>>>
>>>> # session
>>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so
>>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so
>>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so
>>>>
>>>> # password
>>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so
>>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =
=A0 =A0 =A0 no_warn try_first_pass
>>>>
>>>>
>>>> And if I'm reading the logs correctly LDAP is searching for and
>>>> finding the account information when I am making the login attempt:
>>>>
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH
>>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0
>>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001
>>>> ))"
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr=
=3Duid
>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>>> description objectCla
>>>> ss
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D2=
6
>>>> first=3D106 last=3D137
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0
>>>> first=3D106 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D106 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f=
irst=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D0 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f=
irst=3D1 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0
>>>> first=3D1 last=3D0
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RES=
ULT
>>>> tag=3D101 err=3D0 nentries=3D0 text=3D
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>>> error=3D-2 id=3D34715, closing.
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>>> conn=3D34715 sd=3D212 for close
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7
>>>> active_threads=3D0 tvp=3DNULL
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conn=
ection lost)
>>>>
>>>>
>>>> But logins fail every time. Could someone offer an opinion as to what
>>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>>
>>>> Thanks in advance!
>>>> Tim
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>
>>>
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>> _______________________________________________
>>> freebsd-questions@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd=
.org"
>>>
>>
>>
>>
>> these are my files and are from a working setup
>>
>> # cat /usr/local/etc/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> BASE =A0 =A0dc=3DXXX,dc=3Dnet
>> URI =A0 =A0 ldap://XXX.net
>>
>> #SIZELIMIT =A0 =A0 =A012
>> #TIMELIMIT =A0 =A0 =A015
>> #DEREF =A0 =A0 =A0 =A0 =A0never
>>
>> ssl start_tls
>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>>
>> pam_login_attribute uid
>>
>> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet
>> bind_timelimit 1
>> timelimit 1
>> bind_policy soft
>>
>> nss_initgroups_ignoreusers root,slapd,krad
>>
>>
>> # ls -l /usr/local/etc/nss_ldap.conf
>> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31
>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>>
>> # nsswitch.conf
>>
>>
>> group: cache files ldap [notfound=3Dreturn]
>> passwd: cache files ldap [notfound=3Dreturn]
>>
>> these packages are installs
>>
>> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module
>> openldap-client-2.4.23 Open source LDAP client implementation
>> openldap-server-2.4.23 Open source LDAP server implementation
>> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP
>>
>
> and my slapd.conf
>
> security ssf=3D128
>
> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche=
ma
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema
> #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema
> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema
> logfile /var/log/slapd.log
> loglevel stats
> pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid
> argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args
> modulepath =A0 =A0 =A0/usr/local/libexec/openldap
> moduleload =A0 =A0 =A0back_bdb
> database =A0 =A0 =A0 =A0bdb
> directory =A0 =A0 =A0 /var/db/openldap-data
> #index uid pres,eq
> index cn,sn,uid pres,eq,sub
> index objectClass eq
> #index sudoUser
> suffix =A0"dc=3DXXX,dc=3Dnet"
> rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet"
> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
> access to attrs=3DuserPassword
> =A0 =A0 =A0 =A0 =A0 =A0by self write
> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth
> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
> =A0 =A0 =A0 =A0 =A0 =A0by * none
> access to *
> =A0 =A0 =A0 =A0 =A0 =A0by self write
> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write
> =A0 =A0 =A0 =A0 =A0 =A0by * read
>



--=20
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC>