Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Oct 2004 09:59:22 -0500
From:      "Bret Walker" <bret-walker@northwestern.edu>
To:        "'Dick Davies'" <rasputnik@hellooperator.net>
Cc:        'FreeBSD Questions' <freebsd-questions@freebsd.org>
Subject:   RE: Pam_ldap
Message-ID:  <00fd01c4a7c7$3f5a27a0$b1336981@medill.northwestern.edu>
In-Reply-To: <20041001144031.GF29161@lb.tenfour>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.

------=_NextPart_000_00F9_01C4A79D.53205B30
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

The query you gave me worked.  I was able to see real name, home dir, ect.
I'm assuming since I can get that info, that I should be able to verify a
password too.

In my /usr/local/etc/ldap.conf file, I had binddb not bingdn.  Upon
changing this, I now get a different pam error.

It says:
"error: PAM: Authentication failure"

One step closer..



-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Dick Davies
Sent: Friday, October 01, 2004 9:41 AM
To: Bret Walker
Cc: FreeBSD Questions
Subject: Re: Pam_ldap


* Bret Walker <bret-walker@northwestern.edu> [1023 15:23]:
> I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf


The one in /etc isn't doing anything, so get rid of it.

The  /usr/local/etc/ldap.conf should be holding the ad stuff
(what user to bind as , etc).

> I am able to log into the console as these users using the local
> password, but not using the ldap password.  All of my pam info is in
> /etc/pam.conf, I don't have /etc/pam.d.

Then you're on 4.X right? Shouldn't stop this working.

>
> sshd	auth	sufficient	pam_skey.so
> sshd	auth	sufficient	pam_opie.so		no_fake_prompts
> sshd	auth	sufficient	pam_unix.so		try_first_pass
> sshd	auth	sufficient	/usr/local/lib/pam_ldap.so
> try_first_pass debug
> sshd	account	required	pam_unix.so
> sshd	password	required	pam_permit.so
> sshd	session	required	pam_permit.co
>
>
> All I see in the logs are messages saying:
> "error: PAM: User not known to the underlying authentication module"

Right, so sshd is using pam. That's something.

The error could mean several things, one of which is that the user doesn't
exist.

If you look through your ldap.conf, you  should have enough info to
pretend to be PAM.

use ldapsearch and try

ldapsearch -H "ldap://<host from ldap.conf> -D "<binddn from ldap.conf>"
-W \
  <pam_login_attribute from ldap.conf>=username

and enter the bindpw from ldap.conf

If you don't get the AD account  back, then your ldap.conf is screwed.

> I'm pretty sure the ldap.conf files are correct, because I've followed
> the instructions from several places to the T.

"The nice thing about definitive LDAP howtos is there are so many to
choose from" :)

--
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

------=_NextPart_000_00F9_01C4A79D.53205B30
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2TCCAmEw
ggHKoAMCAQICAwzDcDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwNzI3MjMwMzM1WhcNMDUwNzI3MjMwMzM1WjBOMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSswKQYJKoZIhvcNAQkBFhxicmV0LXdhbGtlckBub3J0
aHdlc3Rlcm4uZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2KxZcyBLN/M2+Shau42D
HRCTwrVNq2aB3ke9Ulo5GCzJMgZeLPK9WeY6GEbri7OUdF7tH/FS8qCrFCXHcUwJnMx0Ifa6ILMC
YRvH3H8u8W3Q4QinnVPGUwx84VDg0rFpQf79F/BS4MofBMcsucO/F1t/linKZgMvq0vOgKoP6QID
AQABozkwNzAnBgNVHREEIDAegRxicmV0LXdhbGtlckBub3J0aHdlc3Rlcm4uZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXonUId4OXjTXG19LKdWZ7cd4LcEtJlnFan5nwj2P1p+a
bEd4doxkueYJ9u4+Thn633uqHR1v1CTPuTVSt5sGXKcSG8fUeaITE0lamDOKU6lqtc0S5+/0/5tb
GCcmSp02WaLAatE9Iy8OY4NmGcR2oqHx05nYSwNB50UqOBNa4ZMwggMtMIIClqADAgECAgEAMA0G
CSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0
aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN
OTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu
ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp
bEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbq
cpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYA
o4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQID
AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTw
TRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcf
tQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KB
MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs
dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb
VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl
bWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1os
iRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpU
hQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f
BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxD
QS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+q
LZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr3
94fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAs8wggLLAgEBMGkwYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwCQYFKw4DAhoFAKCCAbww
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDQxMDAxMTQ1OTIxWjAj
BgkqhkiG9w0BCQQxFgQUP5JXIRNxPTHdGI3vIFP/BQoogecwZwYJKoZIhvcNAQkPMVowWDAKBggq
hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwzDcDB6BgsqhkiG9w0BCRACCzFroGkwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwDQYJKoZIhvcNAQEB
BQAEgYBb1DnquKFRZNJV9ZXUGUmtV5Fmf8sxF1WM2olucMqUn791vwFq8+O+kN8Fdlr7QVJPUv4W
cdASnJmQFy8Yu3CVtqZtteUK85IYUZnUSkiW3bT5/7NKl2TQ9SiXr7KZ0bveeIGtjY1laoUvSWJ4
d8hS2Ac7yb4+38/gYZx5cBR1qAAAAAAAAA==

------=_NextPart_000_00F9_01C4A79D.53205B30--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00fd01c4a7c7$3f5a27a0$b1336981>