From owner-freebsd-stable@FreeBSD.ORG Tue Mar 18 10:18:44 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5006B1065677 for ; Tue, 18 Mar 2008 10:18:44 +0000 (UTC) (envelope-from dimma@higis.ru) Received: from mail.higis.ru (mail.higis.ru [213.147.37.35]) by mx1.freebsd.org (Postfix) with ESMTP id 071FE8FC23 for ; Tue, 18 Mar 2008 10:18:43 +0000 (UTC) (envelope-from dimma@higis.ru) Received: from [87.242.97.68] (port=58127 helo=dimma.masterhost.ru) by mail.higis.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JbYNE-000AqT-Qu for freebsd-stable@freebsd.org; Tue, 18 Mar 2008 12:44:48 +0300 Message-ID: <47DF8F10.8080200@higis.ru> Date: Tue, 18 Mar 2008 12:44:48 +0300 From: Dmitriy Kirhlarov User-Agent: Thunderbird 2.0.0.4 (X11/20070621) MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <47DE9638.6080609@danielbond.org> In-Reply-To: <47DE9638.6080609@danielbond.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2008 10:18:44 -0000 Hi! Daniel Bond wrote: > # auth ... This pam.d/ssh config working fine for me: # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so debug umask=0077 skel=/usr/local/share/skel session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass > I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are > anyway: > > > /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf > /usr/local/etc/ldap.conf -> openldap/ldap.conf I'm not sure is it correct. etc/ldap.conf and etc/openldap/ldap.conf -- different files for different purposes. etc/nss_ldap.conf -> etc/ldap.conf -- it's correct. > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > base dc=nsn, dc=no > HOST 1.slave.1881.int.nsn.no master.1881.int.nsn.no > > port 389 > ldap_version 3 > bind_policy soft ^^^^^^^^^^^^^^^^^^ Try replace to bind_policy hard Developers doesn't like "soft". I don't know why, but it periodically it's broken in new versions nss_ldap (2 time for last 3 years AFAIR). I'm not sure about current status. It must be tested. Also try echo "debug 9" >> /usr/local/etc/ldap.conf For details see slapd.conf(5) about loglevel WBR. Dmitriy