Site Navigation

Date:      Tue, 18 Mar 2008 12:44:48 +0300
From:      Dmitriy Kirhlarov <dimma@higis.ru>
To:        freebsd-stable@freebsd.org
Subject:   Re: Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0
Message-ID:  <47DF8F10.8080200@higis.ru>
In-Reply-To: <47DE9638.6080609@danielbond.org>
References:  <47DE9638.6080609@danielbond.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hi!

Daniel Bond wrote:
> # auth
...

This pam.d/ssh config working fine for me:

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so 
ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so  debug 
umask=0077 skel=/usr/local/share/skel
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass

> I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are
> anyway:
> 
> 
> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
> /usr/local/etc/ldap.conf -> openldap/ldap.conf

I'm not sure is it correct.
etc/ldap.conf and etc/openldap/ldap.conf -- different files for 
different purposes.
etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.

> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> base    dc=nsn, dc=no
> HOST    1.slave.1881.int.nsn.no master.1881.int.nsn.no
> 
> port 389
> ldap_version 3
> bind_policy soft
^^^^^^^^^^^^^^^^^^

Try replace to
bind_policy hard

Developers doesn't like "soft". I don't know why, but it periodically 
it's broken in new versions nss_ldap (2 time for last 3 years AFAIR). 
I'm not sure about current status. It must be tested.

Also try

echo "debug 9" >> /usr/local/etc/ldap.conf

For details see
slapd.conf(5) about loglevel

WBR.
Dmitriy

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47DF8F10.8080200>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact