From owner-freebsd-questions@FreeBSD.ORG Fri Oct 1 14:03:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8069A16A4CE for ; Fri, 1 Oct 2004 14:03:27 +0000 (GMT) Received: from 9.hellooperator.net (cpc3-cdif2-3-0-cust202.cdif.cable.ntl.com [81.103.32.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30F0743D46 for ; Fri, 1 Oct 2004 14:03:27 +0000 (GMT) (envelope-from rasputin@hellooperator.net) Received: from rasputin by 9.hellooperator.net with local (Exim 4.42) id 1CDNzO-0006DV-19 for freebsd-questions@freebsd.org; Fri, 01 Oct 2004 15:02:26 +0100 Date: Fri, 1 Oct 2004 15:02:26 +0100 From: Dick Davies To: FreeBSD Questions Message-ID: <20041001140225.GE29161@lb.tenfour> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Sender: Rasputin Subject: Re: Pam_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dick Davies List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Oct 2004 14:03:27 -0000 Right, basically this is doing what I thought - just checking passwords in AD without looking up user info, so the accounts need to exist on the bsd server (that may become a real pain in the arse, by the way). couple of quick checks; 1) the ldap.conf referred to should be /usr/local/etc/ldap.conf *NOT* /etc/openldap/ldap.conf 2) can you log onto the console as these users? If you're sshing you may need to edit /etc/pam.d/sshd, and not login. 3) what's in your logs? If you have the 'debug' flag on, something will be getting written to - check /var/log/secure and /var/log/messages * Bret Walker [1043 13:43]: > It is here: http://www.netsys.com/pamldap/2002/04/msg00074.html > > Thanks, > Bret > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Dick Davies > Sent: Friday, October 01, 2004 4:31 AM > To: Bret Walker > Cc: FreeBSD Questions > Subject: Re: Pam_ldap > > > * Bret Walker [1028 00:28]: > > I've been trying all day to get pam_ldap to authenticate an ssh > > session against Active Directory. I thought that I had found the > > perfect HOWTO > > (read: one that didn't require nss_ldap), but its instructions didn't > seem > > to get it working on my system. > > > > I've read that can authenticate to AD with pam_ldap alone, and I've > > read that you can't, as well. Does anyone have any experience doing > > this w/o nss_ldap. I'm running 4.10, and I don't think it has support > > for nss_ldap. > > > > If anyone has any advice, I'd love to hear it. > > You're not going to need nss_ldap if you just want to validate a password. > But it sounds a bit odd to have existing users in /etc/passwd and only > have the password itself from AD - and if the users don't exist in > /etc/passwd the system won't be able to log them in. > > What was the howto you used? -- Yeah, life is hilariously cruel. - Bender Rasputin :: Jack of All Trades - Master of Nuns