From owner-freebsd-questions@FreeBSD.ORG Wed May 24 14:16:26 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8830816A54F for ; Wed, 24 May 2006 14:16:26 +0000 (UTC) (envelope-from jason+lists.freebsd-questions@lixfeld.ca) Received: from eshara.ebit.ca (eshara.ebit.ca [69.90.17.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 912CB43D46 for ; Wed, 24 May 2006 14:16:21 +0000 (GMT) (envelope-from jason+lists.freebsd-questions@lixfeld.ca) Received: from [216.7.194.254] (helo=[192.168.100.191]) by eshara.ebit.ca with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.54 (FreeBSD)) id 1Fiu9s-000H0M-6Y; Wed, 24 May 2006 10:16:20 -0400 In-Reply-To: References: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <71C11F58-32D9-4EBF-B35E-F1730184B706@lixfeld.ca> Content-Transfer-Encoding: 7bit From: Jason Lixfeld Date: Wed, 24 May 2006 10:16:15 -0400 To: Atom Powers X-Mailer: Apple Mail (2.750) Cc: FreeBSD Questions Mailing List Subject: Re: Trouble with nss|pam|openldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 14:16:28 -0000 On 23-May-06, at 8:48 PM, Atom Powers wrote: > On 5/23/06, Jason Lixfeld questions@lixfeld.ca> wrote: >> I'm using openssh-portable and the latest versions of openldap, >> pam_ldap and nss_ldap. It appears as though the system is using > ... > > I'm not using ssh-portable, but I have it working with the built-in > ssh. built-in works? Interesting. Reason I'm using -portable was because I read that the built-in ssh didn't support PAM. I will try the built-in and see what happens. > ... >> user password, even after I enter it in. I tried putting the >> pam_ldap lib in the password section of the /etc/pam.d/sshd file, but >> that was useless too. Local users can ssh in fine. > > The pam.d config would be my first guess. What gets logged to all.log? I have no all.log currently. The only thing showing up in messages though is: May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP server - Server is unavailable That error seems to creep up only when I restart slapd though. >> >> I searched through the bugs and it seems there is a bug in nss_ldap >> with regards to getpwuid, but that seems to be more if an indicator >> about why finger doesn't work, not why ssh does't work >> >> # id testuser seems to work, finger doesn't. Curious. Anyway, it >> still appears as though at least some portions of the system are >> using LDAP, which is good. >> $ id testuser >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) >> $ finger testuser >> finger: testuser: no such user >> $ > > id works because it's using the name service to look up the user (you > added ldap to your nsswitch.conf, right?) > > finger doesn't work because you don't have a /etc/pam.d/finger file. > Either create one or add pam_ldap to your /etc/pam.d/system file. (I > always create a new conf file for my ldap enabled apps) Interesting. Finger *did* work during some of my first attempts at getting this working. I changed something (I don't recall what) and then finger stopped working. > Here is my /etc/pam.d/sshd file, I use the exact same file for all my > ldap enabled apps.: > (if somebody sees a bug in there, or can suggest any improvement, by > all means let me know.) > -- > > # auth > auth sufficient /usr/local/lib/pam_ldap.so > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn > allow_local > #auth sufficient pam_krb5.so no_warn > try_first_pass > #auth sufficient pam_ssh.so no_warn > try_first_pass > auth required pam_unix.so no_warn > try_first_pass > > # account > account sufficient /usr/local/lib/pam_ldap.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn > try_first_pass > password required pam_unix.so no_warn > try_first_pass This seems to all work now with built-in ssh. How strange. Now, I seem to have hit another snag and a bug (Both of which I remember reading about this in my travels:) $id testuser id: testuser: no such user # sudo su Password: # id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) # cd ~testuser # pwd /usr/home/testuser #ssh testuser@localhost %id testuser id: testuser: no such user %pwd /usr/home/testuser %ls -al Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193. Abort (core dumped) % > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- >