Date: Sun, 27 Feb 2011 20:06:19 -0500 From: Tim Dunphy <bluethundr@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pam ssh authentication via ldap Message-ID: <AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC@mail.gmail.com> In-Reply-To: <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com> References: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com> <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B@mail.gmail.com> <AANLkTimhm0LkqeD3s_ZoCsk=M3j4gPQAtex1Afh4ZLtE@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Krad and thank you for your reply! Well it seems that I am still unable to login to this machine using an LDAP account. I have tried applying the configurations you have provided and the result doesn't seem to have changed just yet. Here is my /usr/local/etc/ldap.conf file uri ldap://LBSD2.summitnjhome.com base dc=3Dsummitnjhome,dc=3Dcom sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom bindpw secret scope sub ssl start tls tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt pam_login_attribute uid bind_timelimit 1 timelimit 1 bind_policy soft pam_password exop nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom nss_base_group dc=3Dsummitnjhome,dc=3Dcom nss_base_sudo dc=3Dsummitnjhome,dc=3Dcom nss_initgroups_ignoreusers root,slapd #ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Feb 28 00:10 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf #cat /usr/local/etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: cache files ldap [notfound=3Dreturn] passwd_compat: files ldap group: cache files ldap [notfound =3D return] group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files Here is my slapd.conf file: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/sudo.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.cr= t TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.= key TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb # moduleload back_hdb # moduleload back_ldap # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=3D1 update_ssf=3D112 simple_bind=3D64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base=3D"" by * read access to * by read access to attrs=3DuserPassword by self write by anonymous auth access to * by self write by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc=3Dsummitnjhome= ,dc=3Dcom" write by users read by anonymous auth access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=3Dsummitnjhome,dc=3Dcom" rootdn "cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" rootpw {SSHA}secret # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/summitnjhome.com # Indices to maintain index objectClass,uid,uidNumber eq index sudoUser eq these are the packages I have installed nss_ldap-1.265_4 RFC 2307 NSS module openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP And this is what happens in the ldap logs after making those changes: Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))" Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: OR Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 first=3D106 last=3D137 Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first=3D106 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D106 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first= =3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D0 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 first= =3D1 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 first=3D1 last=3D0 Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT tag=3D101 err=3D0 nentries=3D0 text=3D Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on: Feb 26 19:58:43 LBSD2 slapd[54891]: 425r Feb 26 19:58:43 LBSD2 slapd[54891]: Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425 Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 active_threads=3D0 tvp=3DNULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 This is what's going on in the secure logs: Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for user root by bluethundr(uid=3D10001) And this is my /etc/pam.d/sshd file: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_ldap.so #auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_ldap.so #account required pam_unix.so # session #session optional pam_ssh.so session sufficient pam_ldap.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_ldap.so #password required pam_unix.so no_warn try_first_pass I really appreciate your input Krad and I appreciate any advice anyone may = have thanks tim On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk@gmail.com> wrote: > On 27 February 2011 11:05, krad <kraduk@gmail.com> wrote: >> On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote: >>> Hey list, >>> >>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >>> nsswitch file because I thought they might be helpful in dispensing >>> advice as to what is going on: >>> >>> uri ldap://LBSD2.summitnjhome.com >>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom >>> bindpw secret >>> scope sub >>> pam_password exop >>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom >>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom >>> >>> >>> # nsswitch.conf(5) - name service switch configuration file >>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >>> kensmith Exp $ >>> # >>> passwd: files ldap >>> passwd_compat: files ldap >>> group: files ldap >>> group_compat: nis >>> sudoers: ldap >>> hosts: files dns >>> networks: files >>> shells: files >>> services: compat >>> services_compat: nis >>> protocols: files >>> rpc: files >>> >>> >>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrot= e: >>>> Hello List!! >>>> >>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that >>>> authenticates a network of (mostly virtual) centos 5.5 machines. >>>> >>>> =A0But at the moment I am attempting to setup pam authentication for s= sh >>>> via LDAP and having some difficulty. >>>> >>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >>>> >>>> # PAM configuration for the "sshd" service >>>> # >>>> >>>> # auth >>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn no_fake_prompts >>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so = =A0 =A0 =A0 no_warn allow_local >>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0= =A0 =A0 =A0 =A0no_warn try_first_pass >>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>>> >>>> # account >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >>>> >>>> # session >>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >>>> >>>> # password >>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>>> >>>> >>>> And if I'm reading the logs correctly LDAP is searching for and >>>> finding the account information when I am making the login attempt: >>>> >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >>>> ))" >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr= =3Duid >>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>>> description objectCla >>>> ss >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D2= 6 >>>> first=3D106 last=3D137 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >>>> first=3D106 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D106 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f= irst=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D0 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 f= irst=3D1 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 >>>> first=3D1 last=3D0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RES= ULT >>>> tag=3D101 err=3D0 nentries=3D0 text=3D >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>>> error=3D-2 id=3D34715, closing. >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>>> conn=3D34715 sd=3D212 for close >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>> active_threads=3D0 tvp=3DNULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (conn= ection lost) >>>> >>>> >>>> But logins fail every time. Could someone offer an opinion as to what >>>> may be going on to prevent logging in via pam/sshd and LDAP? >>>> >>>> Thanks in advance! >>>> Tim >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> >>> >>> >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= .org" >>> >> >> >> >> these are my files and are from a working setup >> >> # cat /usr/local/etc/ldap.conf >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> BASE =A0 =A0dc=3DXXX,dc=3Dnet >> URI =A0 =A0 ldap://XXX.net >> >> #SIZELIMIT =A0 =A0 =A012 >> #TIMELIMIT =A0 =A0 =A015 >> #DEREF =A0 =A0 =A0 =A0 =A0never >> >> ssl start_tls >> tls_cacert /usr/local/etc/openldap/ssl/cert.crt >> >> pam_login_attribute uid >> >> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet >> bind_timelimit 1 >> timelimit 1 >> bind_policy soft >> >> nss_initgroups_ignoreusers root,slapd,krad >> >> >> # ls -l /usr/local/etc/nss_ldap.conf >> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31 >> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf >> >> # nsswitch.conf >> >> >> group: cache files ldap [notfound=3Dreturn] >> passwd: cache files ldap [notfound=3Dreturn] >> >> these packages are installs >> >> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module >> openldap-client-2.4.23 Open source LDAP client implementation >> openldap-server-2.4.23 Open source LDAP server implementation >> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP >> > > and my slapd.conf > > security ssf=3D128 > > TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key > TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche= ma > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema > #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema > logfile /var/log/slapd.log > loglevel stats > pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid > argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args > modulepath =A0 =A0 =A0/usr/local/libexec/openldap > moduleload =A0 =A0 =A0back_bdb > database =A0 =A0 =A0 =A0bdb > directory =A0 =A0 =A0 /var/db/openldap-data > #index uid pres,eq > index cn,sn,uid pres,eq,sub > index objectClass eq > #index sudoUser > suffix =A0"dc=3DXXX,dc=3Dnet" > rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet" > rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa > access to attrs=3DuserPassword > =A0 =A0 =A0 =A0 =A0 =A0by self write > =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth > =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write > =A0 =A0 =A0 =A0 =A0 =A0by * none > access to * > =A0 =A0 =A0 =A0 =A0 =A0by self write > =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write > =A0 =A0 =A0 =A0 =A0 =A0by * read > --=20 GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinWsw=4nyEFUTspiE_yGhHc7DdyTNYL8KGXrapC>