From owner-freebsd-questions@FreeBSD.ORG Fri Apr 24 03:25:26 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE0ACC64 for ; Fri, 24 Apr 2015 03:25:26 +0000 (UTC) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A098196A for ; Fri, 24 Apr 2015 03:25:25 +0000 (UTC) Received: from markhams-MacBook-Pro.local (yk-mb-rtr01.ssimicro.com [64.247.129.127]) (authenticated bits=0) by mail.ssimicro.com (8.14.7/8.14.7) with ESMTP id t3O3OE4i062464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 23 Apr 2015 21:24:15 -0600 (MDT) Message-ID: <5539B75E.4040901@corp.ssimicro.com> Date: Thu, 23 Apr 2015 21:24:14 -0600 From: markham breitbach User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Jaime Kikpole , "freebsd-questions@freebsd.org" Subject: Re: LDAP bind to Open Directory References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2015 03:25:26 -0000 Hi, It looks like you are using a different auth method on the new server: >> CRAM-MD5 authentication failed. The old Mac server appears to be using DIGEST-MD5 I'm not sure how that gets configured though. I have always used LDAP-TLS to ensure that my passwords are protected in transit. -M On 2015-04-23 3:25 PM, Jaime Kikpole wrote: > I *think* I have a FreeBSD system set up as an LDAP client. I could > be wrong about that, but it looks like I've got everything but > password checks. I was hoping someone here could help. > > I made a new VM with FreeBSD 10.1. I have pam_ldap and nss_ldap > installed and (as far as I can tell) configured. I added a line to > /etc/pam.d/sshd to enable LDAP accounts to login over SSH. I figured > this was a place to test. I can still SSH as a local user, but LDAP > users aren't authenticating. When the LDAP user "testdoc6" tries to > SSH in, /var/log/messages shows this: > > Apr 23 16:27:51 fstest1 sshd[819]: pam_ldap: error trying to bind as > user "uid=3Dtestdoc6,cn=3Dusers,dc=3Ddir,dc=3Dcairodurham,dc=3Dorg" (In= valid > credentials) > Apr 23 16:27:51 fstest1 sshd[815]: error: PAM: authentication error > for illegal user testdoc6 from 10.1.20.24 > > On the LDAP server, I see messages like this: > > Apr 23 2015 16:27:51 520401us AUTH2: > {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} CRAM-MD5 authentication > failed, SASL error -13 (password incorrect). > > By contrast, when I successfully login to an old Mac file server with > testdoc6, the directory server shows this: > > Apr 23 2015 16:20:23 783104us AUTH2: > {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} DIGEST-MD5 > authentication succeeded. > > The directory server's messages appear in what Apple named "Password > Service Server Log". > > Can anyone help me figure out what I did wrong? > >