Date: Thu, 26 May 2011 13:49:05 +0200 From: Aleksander Steffensen <post@stmm.no> To: freebsd-questions@freebsd.org Subject: Trouble with LDAP-authentication to Apple Open Directory Message-ID: <C9F6A2BB-C4D2-4BFF-9864-B015920F4C22@gmail.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! Yesterday I finally managed to get my FreeBSD 8.2-STABLE box to actually = authenticate to the Xserve, running Open Directory on Mac OS X 10.5 = Server. I was able to log in to the FreeBSD box (egil.kreativsone.no) as = a directory user via SSH and also via netatalk.=20 Unfortunately, after a while, it stopped working. I can't remember doing = anything at all... As far as I know, I made no changes in the = configuration neither on the Xserve nor on the FreeBSD box. This is what = happens when I try to log in via SSH.=20 > mp-aleks:~ aleksander$ ssh alekstef@egil.kreativsone.no > Password:=20 > alekstef@egil.kreativsone.no's password:=20 > Connection closed by 192.168.3.6 Notice that I enter the password once, and then it asks for the password = once more, but it won't accept the password. Here is the auth.log on = egil.kreativsone.no: > May 26 13:18:24 egil sshd[5347]: error: PAM: user account has expired = for alekstef from 192.168.3.16 > May 26 13:18:28 egil sshd[5347]: Failed password for alekstef from = 192.168.3.16 port 62114 ssh2 I know for a fact that the user account is not expired in Open = Directory. I have also checked the logs on the Xserve, but can't find = anything relevant to the problem, so I assume the problem is on the = FreeBSD-box. Here's the part of my nss_ldap.conf file on = egil.kreativsone.no, that is not commented out. Everything else is the = default: > host jangunnar.kreativsone.no > base dc=3Djangunnar,dc=3Dkreativsone,dc=3Dno >=20 > ldap_version 3 > port 389 > scope one > bind_policy soft=20 > pam_filter objectclass=3DposixAccount > pam_login_attribute uid >=20 > pam_groupdn cn=3Dlagring,cn=3Dgroups,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no > pam_member_attribute memberUid >=20 > pam_password crypt > nss_base_passwd cn=3Dusers,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no?one > nss_base_shadow cn=3Dusers,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no?one > nss_base_group = cn=3Dgroups,dc=3Djangunnar,dc=3Dkreativsone,dc=3Dno?one > ssl off I tried commenting out the pam_groupdn and pam_member_attributes with no = success. I was hoping to restrict login to to the group "lagring", but = it didn't seem to work. /etc/pam.d/sshd: > auth sufficient pam_opie.so = no_warn no_fake_prompts > auth requisite pam_opieaccess.so = no_warn allow_local > auth sufficient /usr/local/lib/pam_ldap.so = no_warn > auth required pam_unix.so = no_warn try_first_pass >=20 > # account > account required pam_nologin.so > account required pam_login_access.so > account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user > account required pam_unix.so >=20 > # session > session required pam_permit.so >=20 > # password > password required pam_unix.so = no_warn try_first_pass /etc/pam.d/netatalk > auth sufficient /usr/local/lib/pam_ldap.so = no_warn > auth include system > account include system > password include system > session include system > account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user I really need to get this working again. Any help is highly appreciated. = Please ask if you need more information. Thanks! Best regards, Aleksander Steffensen -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJN3j4xAAoJELxlbnDhBkKI7jEIAJqUquhmHVO4IDiTBXRERTIR qjv1zsWpUg1d/gps222hKxypN6NqIWDhSvZmRu2BWTgPek6nKjxOmlui4ZsMhhKS uU9jUDghQMijeXPNSxx6eUMb0b0FQ43UJaJQR/vK3ogpDq01SCAzYUAA5/N+vqME VSG1YxZDcCV+lbIYWZF8/IJLPVqr0BEeUgWNvWXSLqRBlXebNmbGl5dbL3MCnI9D JkLbpTeKcVjpaot6fgtkLt03Jk72l+MkpVbKABnb8fHOUBLXRkgHOC0VPIrSQ37X iYwvGQsSs8iHTCRyMUtLuJHrN8o2qCxZ7zatp3Pj15UlSpGFDDZkvWY10WfCmjw=3D =3Dy51P -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C9F6A2BB-C4D2-4BFF-9864-B015920F4C22>