From owner-freebsd-questions@FreeBSD.ORG Thu Jul 17 16:44:24 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72DB81065678 for ; Thu, 17 Jul 2008 16:44:24 +0000 (UTC) (envelope-from jwm-freebsd-questions@sentinelchicken.net) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 29B208FC3B for ; Thu, 17 Jul 2008 16:44:23 +0000 (UTC) (envelope-from jwm-freebsd-questions@sentinelchicken.net) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 17 Jul 2008 12:44:23 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr08.lnh.mail.rcn.net (MOS 3.8.6-GA) with ESMTP id KCN93872; Thu, 17 Jul 2008 12:44:14 -0400 (EDT) Received: from 207-172-209-180.c3-0.bkl-ubr2.sbo-bkl.ma.static.cable.rcn.com (HELO skepsi.net) ([207.172.209.180]) by smtp01.lnh.mail.rcn.net with ESMTP; 17 Jul 2008 12:44:14 -0400 Received: (qmail 15694 invoked from network); 17 Jul 2008 16:43:56 -0000 Received: from aeryn.skepsi.net (HELO crichton.skepsi.net) (10.0.0.101) by aeryn.skepsi.net with SMTP; 17 Jul 2008 16:43:56 -0000 Received: (nullmailer pid 15691 invoked by uid 1000); Thu, 17 Jul 2008 16:43:56 -0000 Date: Thu, 17 Jul 2008 12:43:56 -0400 From: Jason Morgan To: FreeBSD Questions Message-ID: <20080717164355.GA15482@sentinelchicken.net> References: <1105.204.184.27.217.1216233869.squirrel@mail.bloomfield.k12.mo.us> <20080716195709.GA19044@dan.emsphone.com> <1672.204.184.27.217.1216304729.squirrel@mail.bloomfield.k12.mo.us> <1761.204.184.27.217.1216307358.squirrel@mail.bloomfield.k12.mo.us> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1761.204.184.27.217.1216307358.squirrel@mail.bloomfield.k12.mo.us> User-Agent: mutt/1.5.18 (FreeBSD/amd64) X-Junkmail-Status: score=10/50, host=mr08.lnh.mail.rcn.net X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A0B0206.487F76DF.009C,ss=1,fgs=0, ip=207.172.4.11, so=2007-10-30 19:00:17, dmn=5.4.3/2008-02-01 X-Junkmail-IWF: false Subject: Re: /etc/pam.d/ldap file question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 16:44:24 -0000 On 2008.07.17 10:09:18, sgmayo@mail.bloomfield.k12.mo.us wrote: > I am wanting to make sure that I have this correct. Using Pam/NSS/LDAP > and Samba, I need to make the following file: > > /etc/pam.d/ldap > > which should contain: > > login auth sufficient /usr/local/lib/pam_ldap.so > > Is that all I have to add to the file? I will also need to uncomment the > sshd line in the '/etc/pam.d/other' or else put that line in a new file > that is named 'sshd', if I want to use ssh. > > I am still trying to get a hold of all of this and want to make sure that > I am doing things correctly. I had this exact question/problem when setting LDAP authentication up for the first time last week. The man pages don't seem all that clear, to me at least, and the pam documentation is vague, when you can find it. Anyway, below are the settings I used to get SSH authentication working. The settings work, but I don't claim they are "correct". $ cat /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns passwd: files ldap passwd_compat: nis services: compat services_compat: nis shells: files ldap $ cat /etc/pam.d/sshd # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass I believe, if I read the documentation correctly, you want to add auth sufficient /usr/local/lib/pam_ldap.so to /etc/pam.d/login. That should instruct pam to check ldap at login. Hopefully, people who really know what they are doing will respond. HTH a bit, ~Jason Morgan