Date: Tue, 18 Mar 2008 12:44:48 +0300 From: Dmitriy Kirhlarov <dimma@higis.ru> To: freebsd-stable@freebsd.org Subject: Re: Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0 Message-ID: <47DF8F10.8080200@higis.ru> In-Reply-To: <47DE9638.6080609@danielbond.org> References: <47DE9638.6080609@danielbond.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! Daniel Bond wrote: > # auth ... This pam.d/ssh config working fine for me: # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so debug umask=0077 skel=/usr/local/share/skel session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass > I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are > anyway: > > > /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf > /usr/local/etc/ldap.conf -> openldap/ldap.conf I'm not sure is it correct. etc/ldap.conf and etc/openldap/ldap.conf -- different files for different purposes. etc/nss_ldap.conf -> etc/ldap.conf -- it's correct. > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > base dc=nsn, dc=no > HOST 1.slave.1881.int.nsn.no master.1881.int.nsn.no > > port 389 > ldap_version 3 > bind_policy soft ^^^^^^^^^^^^^^^^^^ Try replace to bind_policy hard Developers doesn't like "soft". I don't know why, but it periodically it's broken in new versions nss_ldap (2 time for last 3 years AFAIR). I'm not sure about current status. It must be tested. Also try echo "debug 9" >> /usr/local/etc/ldap.conf For details see slapd.conf(5) about loglevel WBR. Dmitriy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47DF8F10.8080200>