From owner-freebsd-questions@FreeBSD.ORG Mon Feb 28 10:31:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A211106564A for ; Mon, 28 Feb 2011 10:31:57 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 76A5B8FC12 for ; Mon, 28 Feb 2011 10:31:56 +0000 (UTC) Received: by wwb31 with SMTP id 31so4742766wwb.31 for ; Mon, 28 Feb 2011 02:31:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/DLqw9afE+IyCtNifTEEV3G6SxoF/A1846pvg/gZ/xg=; b=VNBLi8WU5hY4hNsBwELdt1f1rzEnEOvQqAqmp+Zw29e8EH7TE1xhWXialTzv/nUM0y o09vsh88Id6gXZRXcarI/OvAEJZ+jdSXjZtaAKoZWLbbp0C/9C13EIGJU62Q5BS+Mkoz 0+FanCevQjW1tQSuB/lkNM0zSOPFBnnS87gBY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=MLnsr5/jnAB5kDOIb7Ujrh7pX+O0EVBpHJu/bNYURBIAn80KbA7jaqOEPe1c56OMbn 1MC3aXjAg+SYrYhJZAmCydXPWa6BplM+JjRBdPPArjPPg3cVUpmlHdXLGSReaqcAYH2m 0OOF6unI+yoOCdZce6t6EhTnW+fF7sXTOwg9s= MIME-Version: 1.0 Received: by 10.216.162.84 with SMTP id x62mr4385957wek.106.1298889115026; Mon, 28 Feb 2011 02:31:55 -0800 (PST) Received: by 10.216.80.147 with HTTP; Mon, 28 Feb 2011 02:31:54 -0800 (PST) In-Reply-To: References: Date: Mon, 28 Feb 2011 10:31:54 +0000 Message-ID: From: krad To: Tim Dunphy Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions Subject: Re: pam ssh authentication via ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 10:31:57 -0000 On 28 February 2011 01:06, Tim Dunphy wrote: > Hello Krad and thank you for your reply! > > > Well it seems that I am still unable to login to this machine using an > LDAP account. I have tried applying the configurations you have > provided and the result doesn't seem to have changed just yet. > > =A0Here is my /usr/local/etc/ldap.conf file > > > uri ldap://LBSD2.summitnjhome.com > base dc=3Dsummitnjhome,dc=3Dcom > sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom > binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom > bindpw secret > scope sub > ssl start tls > tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt > pam_login_attribute uid > bind_timelimit 1 > timelimit 1 > bind_policy soft > pam_password exop > nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom > nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom > nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom > nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom > nss_initgroups_ignoreusers root,slapd > > > > =A0#ls -l /usr/local/etc/nss_ldap.conf > lrwxr-xr-x =A01 root =A0wheel =A024 Feb 28 00:10 > /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf > > > #cat /usr/local/etc/nsswitch.conf > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > passwd: cache files ldap [notfound=3Dreturn] > passwd_compat: files ldap > group: cache files ldap [notfound =3D return] > group_compat: nis > sudoers: ldap > hosts: files dns > networks: files > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > Here is my slapd.conf file: > > > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sche= ma > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/openldap.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/misc.schema > include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/openssh-lpk_openld= ap.schema > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral =A0 =A0 =A0 ldap://root.openldap.org > > loglevel =A0 =A0 =A0 =A0296 > pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid > argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args > > ## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile =A0/usr/local/etc/openldap/certs/LBSD2.summitnjhome.co= m.crt > TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.co= m.key > TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt > > # Load dynamic backend modules: > modulepath =A0 =A0 =A0/usr/local/libexec/openldap > moduleload =A0 =A0 =A0back_bdb > # moduleload =A0 =A0back_hdb > # moduleload =A0 =A0back_ldap > > # Sample security restrictions > # =A0 =A0 =A0 Require integrity protection (prevent hijacking) > # =A0 =A0 =A0 Require 112-bit (3DES or better) encryption for updates > # =A0 =A0 =A0 Require 63-bit encryption for simple bind > # security ssf=3D1 update_ssf=3D112 simple_bind=3D64 > > # Sample access control policy: > # =A0 =A0 =A0 Root DSE: allow anyone to read it > # =A0 =A0 =A0 Subschema (sub)entry DSE: allow anyone to read it > # =A0 =A0 =A0 Other DSEs: > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow self write access > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow authenticated users read access > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 Allow anonymous users to authenticate > # =A0 =A0 =A0 Directives needed to implement policy: > # access to dn.base=3D"" by * read > access to * > =A0 =A0 =A0 =A0 =A0by read > > access to attrs=3DuserPassword by self write > =A0 =A0 =A0 =A0 =A0by anonymous auth > > access to * by self write > =A0 =A0 =A0 =A0 =A0 =A0by dn.children=3D"ou=3Dsummitnjops,ou=3Dstaff,dc= =3Dsummitnjhome,dc=3Dcom" > write > =A0 =A0 =A0 =A0 =A0 =A0by users read > =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth > > access to * by self write > =A0 =A0 =A0 =A0 =A0 =A0by users read > =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. =A0(e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > ####################################################################### > # BDB database definitions > ####################################################################### > > database =A0 =A0 =A0 =A0bdb > suffix =A0 =A0 =A0 =A0 =A0"dc=3Dsummitnjhome,dc=3Dcom" > rootdn =A0 =A0 =A0 =A0 =A0"cn=3DManager,dc=3Dsummitnjhome,dc=3Dcom" > rootpw =A0 =A0 =A0 =A0 =A0{SSHA}secret > > # Cleartext passwords, especially for the rootdn, should > # be avoid. =A0See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory =A0 =A0 =A0 /var/db/summitnjhome.com > # Indices to maintain > index =A0 objectClass,uid,uidNumber =A0 =A0 =A0 eq > index =A0 sudoUser =A0 =A0 =A0 =A0eq > > > these are the packages I have installed > > > nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation > pam_ldap-1.8.5 =A0 =A0 =A0A pam module for authenticating with LDAP > > > And this is what happens in the ldap logs after making those changes: > > > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH > base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 > filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001))" > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SRCH attr=3Duid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 OR > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 AND > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D26 > first=3D106 last=3D137 > Feb 26 19:58:43 LBSD2 slapd[54891]: =3D> bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0 =A0 EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D106 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D0 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D0 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 firs= t=3D1 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D0 > first=3D1 last=3D0 > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=3D34934 op=3D3 SEARCH RESULT > tag=3D101 err=3D0 nentries=3D0 text=3D > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on: > Feb 26 19:58:43 LBSD2 slapd[54891]: =A0425r > Feb 26 19:58:43 LBSD2 slapd[54891]: > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425 > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: AND > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D6 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=3D7 > active_threads=3D0 tvp=3DNULL > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > > This is what's going on in the secure logs: > > Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for > user root by bluethundr(uid=3D10001) > > And this is my /etc/pam.d/sshd file: > > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06 > kensmith Exp $ > # > # PAM configuration for the "sshd" service > # > > # auth > auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn no_fake_prompts > auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so =A0 = =A0 =A0 no_warn allow_local > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass > #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 =A0 = =A0 =A0 =A0 =A0no_warn try_first_pass > auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass > > # account > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so > account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so > #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so > > # session > #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so > session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so > session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so > > # password > #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 =A0 = =A0 =A0 no_warn try_first_pass > password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so > #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0 =A0= =A0 =A0 no_warn try_first_pass > > > I really appreciate your input Krad and I appreciate any advice anyone ma= y have > > thanks > tim > > > On Sun, Feb 27, 2011 at 6:10 AM, krad wrote: >> On 27 February 2011 11:05, krad wrote: >>> On 26 February 2011 20:01, Tim Dunphy wrote: >>>> Hey list, >>>> >>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >>>> nsswitch file because I thought they might be helpful in dispensing >>>> advice as to what is going on: >>>> >>>> uri ldap://LBSD2.summitnjhome.com >>>> base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>>> sudoers_base ou=3Dstaff,ou=3DGroup,dc=3Dsummitnjhome,dc=3Dcom >>>> binddn cn=3Dpam_ldap,ou=3DServices,dc=3Dsummitnjhome,dc=3Dcom >>>> bindpw secret >>>> scope sub >>>> pam_password exop >>>> nss_base_passwd dc=3Dsummitnjhome,dc=3Dcom >>>> nss_base_shadow dc=3Dsummitnjhome,dc=3Dcom >>>> nss_base_group =A0dc=3Dsummitnjhome,dc=3Dcom >>>> nss_base_sudo =A0 dc=3Dsummitnjhome,dc=3Dcom >>>> >>>> >>>> # nsswitch.conf(5) - name service switch configuration file >>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >>>> kensmith Exp $ >>>> # >>>> passwd: files ldap >>>> passwd_compat: files ldap >>>> group: files ldap >>>> group_compat: nis >>>> sudoers: ldap >>>> hosts: files dns >>>> networks: files >>>> shells: files >>>> services: compat >>>> services_compat: nis >>>> protocols: files >>>> rpc: files >>>> >>>> >>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy wro= te: >>>>> Hello List!! >>>>> >>>>> =A0I have an OpenLDAP 2.4 server functioning very nicely that >>>>> authenticates a network of (mostly virtual) centos 5.5 machines. >>>>> >>>>> =A0But at the moment I am attempting to setup pam authentication for = ssh >>>>> via LDAP and having some difficulty. >>>>> >>>>> =A0My /etc/pam.d/sshd file seems to be setup logically and correctly: >>>>> >>>>> # PAM configuration for the "sshd" service >>>>> # >>>>> >>>>> # auth >>>>> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_opie.so =A0 =A0= =A0 =A0 =A0 =A0 no_warn no_fake_prompts >>>>> auth =A0 =A0 =A0 =A0 =A0 =A0requisite =A0 =A0 =A0 pam_opieaccess.so = =A0 =A0 =A0 no_warn allow_local >>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 = =A0 =A0 =A0 =A0 no_warn try_first_pass >>>>> #auth =A0 =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ssh.so =A0 =A0 = =A0 =A0 =A0 =A0 =A0no_warn try_first_pass >>>>> auth =A0 =A0 =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>>> #auth =A0 =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0= =A0 =A0 =A0 =A0 no_warn try_first_pass >>>>> >>>>> # account >>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_nologin.so >>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_krb5.so >>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_login_access.so >>>>> account =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_ldap.so >>>>> #account =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_unix.so >>>>> >>>>> # session >>>>> #session =A0 =A0 =A0 =A0optional =A0 =A0 =A0 =A0pam_ssh.so >>>>> session =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_ldap.so >>>>> session =A0 =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_permit.so >>>>> >>>>> # password >>>>> #password =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_krb5.so =A0 =A0 =A0 = =A0 =A0 =A0 no_warn try_first_pass >>>>> password =A0 =A0 =A0 =A0required =A0 =A0 =A0 =A0pam_ldap.so >>>>> #password =A0 =A0 =A0 required =A0 =A0 =A0 =A0pam_unix.so =A0 =A0 =A0= =A0 =A0 =A0 no_warn try_first_pass >>>>> >>>>> >>>>> And if I'm reading the logs correctly LDAP is searching for and >>>>> finding the account information when I am making the login attempt: >>>>> >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH >>>>> base=3D"dc=3Dsummitnjhome,dc=3Dcom" scope=3D2 deref=3D0 >>>>> filter=3D"(&(objectClass=3DposixAccount)(uidNumber=3D1001 >>>>> ))" >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SRCH attr= =3Duid >>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>>>> description objectCla >>>>> ss >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 OR >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa1 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 0 >>>>> first=3D0 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 AND >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_list_candidates 0xa0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 26 >>>>> first=3D106 last=3D137 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =3D> bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: =A0 =A0 EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 0 >>>>> first=3D0 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 >>>>> first=3D106 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 0 >>>>> first=3D106 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 = first=3D0 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 0 >>>>> first=3D0 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_list_candidates: id=3D0 = first=3D1 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <=3D bdb_filter_candidates: id=3D= 0 >>>>> first=3D1 last=3D0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D21358 op=3D22122 SEARCH RE= SULT >>>>> tag=3D101 err=3D0 nentries=3D0 text=3D >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>>>> error=3D-2 id=3D34715, closing. >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>>>> conn=3D34715 sd=3D212 for close >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D6 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=3D7 >>>>> active_threads=3D0 tvp=3DNULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=3D34715 fd=3D212 closed (con= nection lost) >>>>> >>>>> >>>>> But logins fail every time. Could someone offer an opinion as to what >>>>> may be going on to prevent logging in via pam/sshd and LDAP? >>>>> >>>>> Thanks in advance! >>>>> Tim >>>>> >>>>> -- >>>>> GPG me!! >>>>> >>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>> >>>> >>>> >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebs= d.org" >>>> >>> >>> >>> >>> these are my files and are from a working setup >>> >>> # cat /usr/local/etc/ldap.conf >>> # >>> # LDAP Defaults >>> # >>> >>> # See ldap.conf(5) for details >>> # This file should be world readable but not world writable. >>> >>> BASE =A0 =A0dc=3DXXX,dc=3Dnet >>> URI =A0 =A0 ldap://XXX.net >>> >>> #SIZELIMIT =A0 =A0 =A012 >>> #TIMELIMIT =A0 =A0 =A015 >>> #DEREF =A0 =A0 =A0 =A0 =A0never >>> >>> ssl start_tls >>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt >>> >>> pam_login_attribute uid >>> >>> sudoers_base =A0 ou=3Dsudoers,ou=3Dservices,dc=3DXXX,dc=3Dnet >>> bind_timelimit 1 >>> timelimit 1 >>> bind_policy soft >>> >>> nss_initgroups_ignoreusers root,slapd,krad >>> >>> >>> # ls -l /usr/local/etc/nss_ldap.conf >>> lrwxr-xr-x =A01 root =A0wheel =A024 Jan 16 22:31 >>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf >>> >>> # nsswitch.conf >>> >>> >>> group: cache files ldap [notfound=3Dreturn] >>> passwd: cache files ldap [notfound=3Dreturn] >>> >>> these packages are installs >>> >>> nss_ldap-1.265_4 =A0 =A0RFC 2307 NSS module >>> openldap-client-2.4.23 Open source LDAP client implementation >>> openldap-server-2.4.23 Open source LDAP server implementation >>> pam_ldap-1.8.6 =A0 =A0 =A0A pam module for authenticating with LDAP >>> >> >> and my slapd.conf >> >> security ssf=3D128 >> >> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt >> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key >> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/core.schema >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/cosine.schema >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/inetorgperson.sch= ema >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/nis.schema >> #include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/ldapns.schema >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/samba.schema >> include =A0 =A0 =A0 =A0 /usr/local/etc/openldap/schema/sudo.schema >> logfile /var/log/slapd.log >> loglevel stats >> pidfile =A0 =A0 =A0 =A0 /var/run/openldap/slapd.pid >> argsfile =A0 =A0 =A0 =A0/var/run/openldap/slapd.args >> modulepath =A0 =A0 =A0/usr/local/libexec/openldap >> moduleload =A0 =A0 =A0back_bdb >> database =A0 =A0 =A0 =A0bdb >> directory =A0 =A0 =A0 /var/db/openldap-data >> #index uid pres,eq >> index cn,sn,uid pres,eq,sub >> index objectClass eq >> #index sudoUser >> suffix =A0"dc=3DXXX,dc=3Dnet" >> rootdn =A0"cn=3Dkrad,dc=3DXXX,dc=3Dnet" >> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa >> access to attrs=3DuserPassword >> =A0 =A0 =A0 =A0 =A0 =A0by self write >> =A0 =A0 =A0 =A0 =A0 =A0by anonymous auth >> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write >> =A0 =A0 =A0 =A0 =A0 =A0by * none >> access to * >> =A0 =A0 =A0 =A0 =A0 =A0by self write >> =A0 =A0 =A0 =A0 =A0 =A0by dn.base=3D"cn=3Dkrad,dc=3DXXX,dc=3Dnet" write >> =A0 =A0 =A0 =A0 =A0 =A0by * read >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" > haha sorry i completely forgot about the pam files, here is mine. You definitely need to be explicit with the path of the ldap module [root@carrera /home/krad]# cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1 2009/08/03 08:13:06 kensmith Exp= $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so session required /usr/local/lib/pam_mkhomedir.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass