From nobody Mon Jan 8 12:49:59 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7v6L1dCKz55btR for ; Mon, 8 Jan 2024 12:50:02 +0000 (UTC) (envelope-from rockyhotas@post.com) Received: from mout.gmx.com (mout.gmx.com [74.208.4.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.com", Issuer "GeoTrust TLS RSA CA G1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T7v6K1y9hz3wYd for ; Mon, 8 Jan 2024 12:50:01 +0000 (UTC) (envelope-from rockyhotas@post.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=post.com header.s=s1089575 header.b=IWjuyKve; dmarc=pass (policy=none) header.from=post.com; spf=pass (mx1.freebsd.org: domain of rockyhotas@post.com designates 74.208.4.201 as permitted sender) smtp.mailfrom=rockyhotas@post.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=post.com; s=s1089575; t=1704718199; x=1705322999; i=rockyhotas@post.com; bh=j9QlvVhDsx3F5l82lQB+L9LlspB+/OpriYYwNHCA8qw=; h=X-UI-Sender-Class:From:To:Subject:Date; b=IWjuyKve2P3Pk0NMOBY2w36CeDMrsU9uBVPlELaWgncxc6NzpVf5AXdUNF1gr3tw GaNQ5fKr1WMUbshgAP2h4ZZSVY3KMTar8T/nozr/7Bh/FVrUZ9xBrvke9y1kAP9A6 jN7+cn9kg12w7oCRk9pCs/dMrS6LEefbL/s8GaQCy4p1B9t9YarTGtXZNvCraFYLo JRX1av9J9w7llWgKUMtrOqsSdX2IV88ZIUt5qw6HzmchUMPNyYet97opAVNOowi9Y ESpbZS2PXRXmS2mnNi6Ao8D6OJ9TKwKIHMP+8kPYwnHcJEr/wwlPVf13qH4bHSPh5 M7isqvPUBO0FXmoDOw== X-UI-Sender-Class: f2cb72be-343f-493d-8ec3-b1efb8d6185a Received: from [91.81.140.248] ([91.81.140.248]) by web-mail.mail.com (3c-app-mailcom-lxa03.server.lan [10.76.45.4]) (via HTTP); Mon, 8 Jan 2024 13:49:59 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-ID: From: Rocky Hotas To: FreeBSD Questions Subject: auth.log error with nss-pam-ldapd in LDAP client Content-Type: text/plain; charset=UTF-8 Date: Mon, 8 Jan 2024 13:49:59 +0100 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:Zdk4NhhhyvmA+IiWNQ5/qF7G/keOz4XXLVBGWXZ6v42FxUib8HABHfU/BYuzCmogLL9X1 g7Lk+3VsqHw4D0ofgD02Gns4JYZbTeSAjST7mRGy7x3V/vBC+oYdnimzysB/zkpE70oVrrQBxCTj hJLGbF3OeeK7TToXLfGeVn5W1A4GVfNxQBwUu7m/jBFqUZXztasYXFpPhbIk57KWch/mwM6wTJ5L b5nANTSIymwRHv8/xKj7VNIEMUN2/q9jfKJNJjT67s/cyjQhtkIaD/yZHjLuxoN658D/CfOh3enm Xk= X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:3kjxCPsxHlc=;R87lR/ajOgXFVilyg9nhlnkuRUB IwVsgMGdaKfM4j9N6ST9yLkj1/IKJXCnPWzAchALv9pSmV7oz/vyiw5wFhxvgBTorYCslqhQC 5M45lpZUFrRr/eCYqFadfxbcAdjQJqi8ZObn23CZq8eYkEnZSl/Cp1tZjgJ21w55jCo4AaV2x xbcTV5L2JILK9iUAfhikbXKoQGtZ47h4KXb0CpZQcbc0BCMbkuT9oJy6MPL1r0vymR8xiQ1Qb ye4GSdi4kuLyuSWuaOptPpC5oksRR6TQwIN8HnmD0Ek2OFqukSgeDX9m4mR5FKfxsjN09rls+ 5CilA/Ze2vpquTSkaVXyD9wBL0lmY3LfWXbP/QekUcA3aGJK7IK5gpqy47qXD0HjUnClntVOe G22A6ecbNkjDwNSnlnYVA0ci8ri1nBr1GVS2fmtKlWoJcCFMBppAvAOCN8a6Y4HrDH6EVScQz lDLKmh/yJGjz785ZG+MGAspc8vHB3PyEdlHXMpYyLGkH2rJrXgzCQBXrfmYgEENCxUeK17fMF rGufRdXp7Pv9AvVshGKKF9NWOMwh9UrTP134hCbBCVm0QjczNPt7cK0jKTmjP5y3yqDQLJgLK oSoKBjuosSiJXNGwteBjMd0pRV0DNu9unraKeTx8ha3eF6rxsqlLVoOF52RroZPDiJaEQ7u9/ z1/8MTFHBTbrfMAw/1Sr/LohFLZoj0lIOAHYZL+smqdRRcjdyxmcOJax5xPFdIRzq09APTy7x wT+Fw8GF1j6doU+ZJ0fAMFB/dCkpecE8rhcqixNpy7ECTUFYN4oHJbF0+CBokwN2BKvPznr0j 9M9pC8mfjrmMNLKA1i+duC543a/Zv9J5eDtbCUtzl9n0E= X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.99)[-0.992]; NEURAL_HAM_SHORT(-0.80)[-0.803]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[post.com,none]; R_SPF_ALLOW(-0.20)[+ip4:74.208.4.192/26]; R_DKIM_ALLOW(-0.20)[post.com:s=s1089575]; ONCE_RECEIVED(0.10)[]; RCVD_IN_DNSWL_LOW(-0.10)[74.208.4.201:from]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; HAS_X_PRIO_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[post.com]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[post.com:+]; RWL_MAILSPIKE_POSSIBLE(0.00)[74.208.4.201:from]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:8560, ipnet:74.208.0.0/16, country:DE]; MISSING_XM_UA(0.00)[]; FREEMAIL_ENVFROM(0.00)[post.com] X-Rspamd-Queue-Id: 4T7v6K1y9hz3wYd Hello! I am trying to configure the package nss-pam-ldapd in FreeBSD 14.0-RELEASE to have an LDAP client and LDAP authentication on a host examplehost. The same host is also the LDAP server and it is running openldap26-server-2.6.6. I followed all the steps related to FreeBSD in the package author's documentation: (or at least I hope so!). If I run: $ ldapsearch -x -b 'dc=examplehost,dc=domain' '(objectclass=*)' I obtain some of the items stored in the LDAP database (even if not all of them: is this normal?). So, the client somehow seems to work. But there are two oddities. 1) In the output of `getent passwd' the LDAP users are listed, but this is a local user entry: localuser:*:1001:1001:Local User:/home/localuser:/bin/csh while this is an LDAP user entry: ldapuser:x:10001:10001:LDAP User:/home/ldapuser/:/usr/bin/csh The second field is a `*' in the first case, while it is `x' in the second case. Is this relevant? Users are stored in the LDAP database as objectClass: posixAccount objectClass: shadowAccount and their passwords are stored in the user entry as userPassword: {SSHA} 2) I tried to configure /etc/pam.d/sshd for LDAP authentication as follows: auth sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000 use_first_pass auth required pam_unix.so no_warn try_first_pass account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so minimum_uid=10000 account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass Despite this, if I try to log into the system remotely as an LDAP user, $ ssh ldapuser@examplehost (ldapuser@examplehost) Password for ldapuser@examplehost: even before typing the password, in /var/log/auth.log of examplehost this line appears: Jan 8 13:30:45 examplehost sshd[34445]: failed to get password: Authentication error How is it possible? What is wrong with this configuration? With openldap24-client this /etc/pam.d/sshd worked. Bye! Rocky