Date: Mon, 8 Jan 2024 13:49:59 +0100 From: Rocky Hotas <rockyhotas@post.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: auth.log error with nss-pam-ldapd in LDAP client Message-ID: <trinity-81261d30-7268-4bec-9268-ce19c331a1ae-1704718198974@3c-app-mailcom-lxa03>
next in thread | raw e-mail | index | archive | help
Hello! I am trying to configure the package nss-pam-ldapd in FreeBSD 14.0-RELEASE to have an LDAP client and LDAP authentication on a host examplehost. The same host is also the LDAP server and it is running openldap26-server-2.6.6. I followed all the steps related to FreeBSD in the package author's documentation: <https://arthurdejong.org/nss-pam-ldapd/setup> (or at least I hope so!). If I run: $ ldapsearch -x -b 'dc=examplehost,dc=domain' '(objectclass=*)' I obtain some of the items stored in the LDAP database (even if not all of them: is this normal?). So, the client somehow seems to work. But there are two oddities. 1) In the output of `getent passwd' the LDAP users are listed, but this is a local user entry: localuser:*:1001:1001:Local User:/home/localuser:/bin/csh while this is an LDAP user entry: ldapuser:x:10001:10001:LDAP User:/home/ldapuser/:/usr/bin/csh The second field is a `*' in the first case, while it is `x' in the second case. Is this relevant? Users are stored in the LDAP database as objectClass: posixAccount objectClass: shadowAccount and their passwords are stored in the user entry as userPassword: {SSHA}<some_string> 2) I tried to configure /etc/pam.d/sshd for LDAP authentication as follows: auth sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000 use_first_pass auth required pam_unix.so no_warn try_first_pass account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000 account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass Despite this, if I try to log into the system remotely as an LDAP user, $ ssh ldapuser@examplehost (ldapuser@examplehost) Password for ldapuser@examplehost: even before typing the password, in /var/log/auth.log of examplehost this line appears: Jan 8 13:30:45 examplehost sshd[34445]: failed to get password: Authentication error How is it possible? What is wrong with this configuration? With openldap24-client this /etc/pam.d/sshd worked. Bye! Rocky
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-81261d30-7268-4bec-9268-ce19c331a1ae-1704718198974>