Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Apr 2015 21:24:14 -0600
From:      markham breitbach <markhamb@corp.ssimicro.com>
To:        Jaime Kikpole <jkikpole@cairodurham.org>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: LDAP bind to Open Directory
Message-ID:  <5539B75E.4040901@corp.ssimicro.com>
In-Reply-To: <CA%2Bsg5RROOHaVm71T3BJucK%2BKn3-WdStN0dezZzXkdeSYA5MOkw@mail.gmail.com>
References:  <CA%2Bsg5RROOHaVm71T3BJucK%2BKn3-WdStN0dezZzXkdeSYA5MOkw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

It looks like you are using a different auth method on the new server:

>> CRAM-MD5 authentication failed.

The old Mac server appears to be using DIGEST-MD5

I'm not sure how that gets configured though.  I have always used
LDAP-TLS to ensure that my passwords are protected in transit.

-M


On 2015-04-23 3:25 PM, Jaime Kikpole wrote:
> I *think* I have a FreeBSD system set up as an LDAP client.  I could
> be wrong about that, but it looks like I've got everything but
> password checks.  I was hoping someone here could help.
>
> I made a new VM with FreeBSD 10.1.  I have pam_ldap and nss_ldap
> installed and (as far as I can tell) configured.  I added a line to
> /etc/pam.d/sshd to enable LDAP accounts to login over SSH.  I figured
> this was a place to test.  I can still SSH as a local user, but LDAP
> users aren't authenticating.  When the LDAP user "testdoc6" tries to
> SSH in, /var/log/messages shows this:
>
> Apr 23 16:27:51 fstest1 sshd[819]: pam_ldap: error trying to bind as
> user "uid=3Dtestdoc6,cn=3Dusers,dc=3Ddir,dc=3Dcairodurham,dc=3Dorg" (In=
valid
> credentials)
> Apr 23 16:27:51 fstest1 sshd[815]: error: PAM: authentication error
> for illegal user testdoc6 from 10.1.20.24
>
> On the LDAP server, I see messages like this:
>
> Apr 23 2015 16:27:51 520401us    AUTH2:
> {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} CRAM-MD5 authentication
> failed, SASL error -13 (password incorrect).
>
> By contrast, when I successfully login to an old Mac file server with
> testdoc6, the directory server shows this:
>
> Apr 23 2015 16:20:23 783104us    AUTH2:
> {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} DIGEST-MD5
> authentication succeeded.
>
> The directory server's messages appear in what Apple named "Password
> Service Server Log".
>
> Can anyone help me figure out what I did wrong?
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5539B75E.4040901>