From owner-freebsd-questions@FreeBSD.ORG  Fri Jul 18 23:29:39 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C5E23106564A
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Jul 2008 23:29:39 +0000 (UTC)
	(envelope-from peo@intersonic.se)
Received: from neonpark.inter-sonic.com (neonpark.inter-sonic.com
	[212.247.8.98]) by mx1.freebsd.org (Postfix) with ESMTP id 981378FC20
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Jul 2008 23:29:39 +0000 (UTC)
	(envelope-from peo@intersonic.se)
X-Virus-Scanned: amavisd-new at inter-sonic.com
Message-ID: <20080719012933.75990wmh8c31w3m8@webmail.inter-sonic.com>
X-Priority: 3 (Normal)
Date: Sat, 19 Jul 2008 01:29:33 +0200
From: "Per olof Ljungmark" <peo@intersonic.se>
To: freebsd-questions@freebsd.org
References: <4880EA7A.90801@rowyerboat.com>
In-Reply-To: <4880EA7A.90801@rowyerboat.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset=UTF-8;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.2) / FreeBSD-6.3
Subject: Re: "Invalid credentials" errors using pam_ldap on FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2008 23:29:39 -0000

Quoting "Stephen Allen" <sdafreebsduk@rowyerboat.com>:

> Hello,
>
> I'm pretty sure I've done all the necessary steps to be able to ssh =20
> to my FreeBSD box using pam_ldap, but I'm getting "Invalid =20
> credentials" errors whenever I try (I can successfully perform an =20
> ldapsearch operation though).
>
> Here are snippets from my config:
>
>      [/etc/nsswitch.conf]
>      passwd: files ldap
>
>      [/etc/pam.d/sshd]
>      auth            sufficient       /usr/local/lib/pam_ldap.so
>      auth            required        pam_unix.so
>
>      [/usr/local/etc/ldap.conf]
>      base o=3Dbrookes
>      uri ldap://ldap.brookes.ac.uk:389/
>      scope one
>
> And here is the error:
>
> Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind =20
> as user "uid=3Dp0036343,o=3DBrookes" (Invalid credentials)
>
> Incidentally, the following ldapsearch query _IS_ successful, and =20
> returns me some details about user 'jsmith'
>
> ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=3Dbrookes' -x -W -D =20
> 'uid=3Dme,o=3DBrookes' uid=3Djsmith

Try to increase the log level in nss_ldap.conf, debug =3D <level>, and =20
check /var/log/debug.log.

man nss_ldap(5).

--per