Date: Sun, 21 Nov 2004 17:36:14 -0500 From: Jon Adams <jkadams@computer.org> To: Jon Adams <jkadams@computer.org> Cc: freebsd-questions@freebsd.org Subject: Alsmost have NSS/PAM/LDAP... neew a lil help ( was Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x) Message-ID: <41A1185E.9070506@computer.org> In-Reply-To: <41A0952B.4010107@computer.org> References: <41A0952B.4010107@computer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
After much banging my head against the desk, I have it kinda working...
I can su - to a user (from root) and get home directory... but... and I
have tried PLAIN, CRYPT, and SSHA passwords...
I cannot login, su - (when prompted for password), ssh in...
here is a some of the conf files
east# more /usr/local/etc/pam_ldap/ssh.conf
host 127.0.0.1
port 389
base dc=all,dc=net
ldap_version 3
ssl off
tls_ciphers HIGH:MEDIUM:+SSLv2:RSA
tls_checkpeer no
pam_login_attribute uid
east# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass config=/usr/local/etc/pam_ldap/ssh.conf
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
password required pam_unix.so no_warn
try_first_pass
east# more /usr/local/etc/ldap.conf
rootbinddb cn=Manager,dc=all,dc=net
uri ldaps://69.17.104.19:636/
binddn cn=Manager,dc=all,dc=net
ssl yes
bindpw ________
port 636
nss_base_passwd ou=People,dc=all,dc=net?one
nss_base_group ou=Groups,dc=all,dc=net?one
pam_password SSHA
> uname -a
FreeBSD east 5.1-RELEASE FreeBSD 5.1-RELEASE #3: Tue Nov 9 22:43:42 GMT
2004 jka@nitro:/usr/src/sys/i386/compile/ORACLE i386
(I put in the oracle required changes and some TCP/IP related stuff)
> ./slapd -VV
@(#) $OpenLDAP: slapd 2.2.18 (Nov 21 2004 02:33:07) $
jka@east:/usr/ports/net/openldap22-sasl-server/work/openldap-2.2.18/servers/slapd
> sshd -v
sshd version OpenSSH_3.6.1p1 FreeBSD-20030423
strings on slappasswd show the following are compiled in::
{SSHA}
{CRYPT}
{SHA}
{MD5}
{LANMAN}
{SASL}
{UNIX}
{CLEARTEXT}
Jon Adams wrote:
> I tried this one:
> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
>
>
> and it emphatically does not work, and I followed it to the letter....
> I think it has something to do with NSS only using SSL/port 636.
>
> so then I tried it with that added.... still no dice
>
>
> Help!
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41A1185E.9070506>