From owner-freebsd-questions@FreeBSD.ORG Wed Mar 26 21:28:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2944106566B for ; Wed, 26 Mar 2008 21:28:45 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id 9504A8FC1C for ; Wed, 26 Mar 2008 21:28:45 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from [10.110.3.94] (irsec61278.utdallas.edu [10.110.3.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 7841865510; Wed, 26 Mar 2008 16:28:44 -0500 (CDT) Date: Wed, 26 Mar 2008 16:28:43 -0500 From: Paul Schmehl To: Frank Bonnet , bseklecki@collaborativefusion.com Message-ID: <415463677EAE17931859BFF9@[10.110.3.94]> In-Reply-To: <47EA6563.3030109@esiee.fr> References: <47E90D72.3060909@esiee.fr> <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47E91ACF.1040804@esiee.fr> <1206459218.18298.100.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <47EA6563.3030109@esiee.fr> X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 21:28:45 -0000 Please don't top post. It disrupts the flow of the conversation. (See below for my response.) --On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet wrote: > Hello > > After having spent several hours on it I can't have a working > ssh access that use PAM_LDAP on a freebsd 6/7 machine ! > > I have no problem on a Linux Debian etch box ... > > Where are we going if Linux works better than BSD ? :-) > Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. You needn't even bother creating local passwords for accounts. Just create the account without one, and with pam/ssh/ldap, they can login and use their assigned shell/do whatever you've authorized them to do. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/