Date: Thu, 2 Sep 2004 21:37:23 +0200 (CEST) From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: Curtis Vaughan <curtis@npc-usa.com> Cc: freebsd-questions@freebsd.org Subject: Re: Setting up pam_ldap & nss_ldap Message-ID: <20040902210253.F50481@hades.admin.frm2> In-Reply-To: <2F524A40-FD11-11D8-AE08-000393934006@npc-usa.com> References: <2F524A40-FD11-11D8-AE08-000393934006@npc-usa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 2 Sep 2004, Curtis Vaughan wrote: > On 5.3-Beta I have installed pam_ldap and nss_ldap. > > Then I edited the following files: > > /usr/local/etc/ldap.conf > /etc/nsswitch.conf > files within /etc/pam.d > particularly /etc/pam.d/ldap and ./sshd and ./su > /usr/local/etc/nss_ldap.conf > > I think that's it. I can provide each of those files if necessary. > Nonetheless authentication for users not local to this system is not > occurring (which would normally occur for me under Linux). I have tried > authenticating the following ways: 1) through ssh; 2) through su. I have > noticed, however, that the way I do this under Linux is not the same as for > FreeBSD. So, it's quite possible that I have left something out. Anyhow, I > would appreciate any input into what needs to be configured to get this to > work. i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP accounts via nss_ldap and pam_ldap. it works perfectly. /etc/nsswitch.conf - --- passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap shells: files hosts: files dns - --- /etc/pam.d/sshd - --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so use_authok password required pam_unix.so no_warn try_first_pass - --- /usr/local/etc/nss_ldap.conf (without TLS stuff) - --- host ldap1.example.com ldap2.example.com base dc=example,dc=com ldap_version 3 port 389 scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one # debug testing #logdir /var/log #debug 9 - --- i use the same configuration for pam_ldap and nss_ldap, so create a symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or make an exact copy. all other entries in nss_ldap are commented out for me. Don't forget to change "dc=example,dc=com" and "ldap1.example.com ldap2.example.com" to your values. there is no need for a .secret file for pam_ldap or nss_ldap. to be clear, if you set a rootbinddn or binddn which has the right to read the userPassword attribute, a getpwent(3) call would return all password hashes which is surely not what you want. the better way is to let nss_ldap only return the account information without the password and let pam_ldap try to bind as the users dn with the submitted password. another point is, that the whole pam_ldap stuff can be skipped if you use a binddn or rootbinddn with nss_ldap and this dn is allowed to read the userPassword attribute as the password is available to pam_unix and makes authentication possible. but remember the risk that someone is able to use getpwent(3) to get all password hashes that are stored in LDAP. if it's still not working for you, uncomment the "logdir" and "debug" line in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a new login you will find a file "ldap.<PID>" in the directory specified as "logdir". the whole LDAP lookup and LDAP bind phase is written to this file so one can analyze whats working or not. feel free to ask again if you still have problems. regards Joerg - -- The beginning is the most important part of the work. -Plato -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq EA/iC/hSxEjtrBwnaBoIXAU= =GlqU -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040902210253.F50481>