From owner-freebsd-net@FreeBSD.ORG Thu Nov 6 21:15:34 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5257116A4CE for ; Thu, 6 Nov 2003 21:15:34 -0800 (PST) Received: from xmxpita.excite.com (nn2.excitenetwork.com [207.159.120.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1ECC43FFD for ; Thu, 6 Nov 2003 21:15:33 -0800 (PST) (envelope-from skb_bhat@excite.com) Received: by xmxpita.excite.com (Postfix, from userid 110) id D2BABBF78; Fri, 7 Nov 2003 00:15:27 -0500 (EST) To: freebsd-net@freebsd.org Received: from [203.200.177.199] by xprdmailfe13.nwk.excite.com via HTTP; Fri, 07 Nov 2003 00:15:27 EST X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: ID = 5c3e0474b596237c52a34490e08e6c6e From: "skb" MIME-Version: 1.0 X-Sender: skb_bhat@excite.com X-Mailer: PHP Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Message-Id: <20031107051527.D2BABBF78@xmxpita.excite.com> Date: Fri, 7 Nov 2003 00:15:27 -0500 (EST) Subject: login with ldap and sasl/gssapi X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: skb_bhat@excite.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 05:15:34 -0000 Hi, Can someone please tell me how to configure login on the FreeBSD-5.1-RELEASE box to use ldap authentication (using SASL/GSSAPI), pam_krb5, pam_ldap and nss_ldap modules repectively. I have successfully configured openldap21-2.1.20_1 with heimdal-0.5.1. I can execute ldapsearch, ldapadd etc using SASL/GSSAPI mechanism without any problems at all on the local box. On /usr/local/etc/openldap/slapd.conf I've added the following extra stuff: require SASL sasl-realm MYDOMAIN.COM sasl-host test.mydomain.com sasl-secprop noplain,noanonymous,minssf=56 sasl-regex uid=(.*),cn=MYDOMAIN.COM,cn=gssapi,cn=auth uid=$1,ou=People,dc=mydomain,dc=com The pam_krb5, nss_ldap, pam_ldap modules are working fine since login is working fine with anonymous LDAP bind. But everything stops when I am disabling anonymous bind. My /etc/pam.d/login file is as follows: auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_krb5.so account sufficient /usr/local/lib/pam_ldap.so account required pam_login_access.so account required pam_securetty.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so password required pam_unix.so no_warn try_first_pass Any help will be greatly appreciated. Thanks in advance, skb _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!