Date: Fri, 8 Oct 2010 03:38:59 +1030 From: Indexer <indexer@internode.on.net> To: Kevin Mai <kma@mrecic.gov.ar> Cc: Jason <jhelfman@e-e.com>, Dan Nelson <dnelson@allantgroup.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: LDAP Authentication from console Message-ID: <81962BF4-22B6-40A1-9610-908EFE981484@internode.on.net> In-Reply-To: <2142474853.75664.1286469563186.JavaMail.root@mrelmx10.mrec.ar> References: <2142474853.75664.1286469563186.JavaMail.root@mrelmx10.mrec.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/10/2010, at 3:09 AM, Kevin Mai wrote: > Didn't receive all the emails, thank god this maillist is indexed! ;) Very handy isnt it :) Now, about you problem. Remove the line "auth sufficient /usr/local/lib/pam_ldap.so no_warn" = and "account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user" from the login = file. The login file includes system, so you only need to modify that. In system make your file look like this =95 # =95 # $FreeBSD: src/etc/pam.d/system,v 1.1.30.1 2009/04/15 = 03:14:26 kensmith Exp $ =95 # =95 # System-wide defaults =95 # =95 =20 =95 =20 =95 # auth =95 auth sufficient pam_opie.so = no_warn no_fake_prompts =95 auth requisite pam_opieaccess.so = no_warn allow_local =95 #auth sufficient pam_krb5.so = no_warn try_first_pass =95 #auth sufficient pam_ssh.so = no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn =95 auth required pam_unix.so = no_warn try_first_pass nullok =95 =20 =95 # account =95 #account required pam_krb5.so =95 account required pam_login_access.so account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user =95 account required pam_unix.so =95 =20 =95 # session =95 #session optional pam_ssh.so session required pam_permit.so =95 session required pam_lastlog.so = no_fail =95 =20 =95 # password =95 #password sufficient pam_krb5.so = no_warn try_first_pass =95 password required pam_unix.so = no_warn try_first_pass I have added 3 lines, they do not have a . preceding them Now, after that, copy the system file to sshd. THEY SHOULD BE THE EXACT = SAME. As it currently stands, Your ldap user can ssh into your server, = but module order in pam is VERY important.=20 BACKUP YOUR PAM.D DIRECTORY BEFORE YOU DO ANYTHING. pam is very touchy, = and the slightest mistake it will just panic, and throw up its hands in = defeat. Remember when doing this, that you should hold a root terminal open, to = edit these files. open a second terminal and test the following 1) You can ssh in as a user in the unix files (root for example if your = ssh is setup for this, else an account you have created) 2) That your ldap user can login 3) That your file user can sudo correctly 4) That your ldap user can sudo correctly. 5) That your user in files can login at a console 6) That your ldap user can login at a console. Now, have a rescue CD handy, or remember how to single user mode freebsd = if worst comes to worse (hint: press 4 at the boot loader menu, then hit = enter, and mount -a the disks to gain access to /usr etc. from there fix = your pam and reboot) If any of these do not work, especially, the sshd logins, then reset = your pam.d files. You DO run the risk of locking yourself out of your = own server, and i have done this to myself many times.=20 Hopefully, this helps you get under way, and your users authenticating = properly.=20 Sincerely William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMrf6vAAoJEHF16AnLoz6JFI8P/2WOrhfK/9O4w0EQw+Ksw3z2 icBlz7iAZBbgobWRC/3QJTxd3b5L4yIlSUt6kMHKSPoKfG2uDv6XtIuL6OBDvKc0 px7BbtjGQXP9QjOOzDFxxR4pH5Mbp+wO7XI4GGz9CjRjCZh6vG4zcQTejbqBnIUF e+zx1CY0andlMdTIBj012SIzsi+qoq2i6W+4/XcM4cODcamwGdH2764mkieGRDa6 cbwsfVBkNyQpQQJaGJDgPlyA7s5EpS5Nzydh4qHOwykfJgwV8cmSbZIdrgTwSFwU 9HMZZfbmdt3cYIawWVMuHGTf8QVOsTFD9g619hyMgetRdCGBnmdPjbI8pYSC0MUY nul2JEg9skzwoxgoyi2AmIzafe4AvSZ+4+CMs4MxNbtx/1Gb/GUq5oYldXm1dtkb 9ZTLyQ28+zBJJKKWpNL0RSAZJYGXu9MP2B/VWX9LULIcDGBksiNYTmSoEnAsqrSS Rys9prXlyK7W972WEYssaCMcs90Pcs1c7OqpHmcTjY/+u7YB9xJVcxxHS99Z6Q5z BWESgYoQHjJKQfpv4agFKGMNcH9mWSC05HhqTz6UtKJHNcG5mq+LFTrNJDBPq9Dk oxfGP5rlvkJR2Qw6rNRxNxTuJwkiWYpALPZom0FoI+3pcP4256ipKDa9yqdbhbQk N+zUpSQ07jjVdn/IhgOf =3DlXpn -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?81962BF4-22B6-40A1-9610-908EFE981484>