From owner-freebsd-questions@FreeBSD.ORG Tue Jul 26 11:33:49 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D276216A41F for ; Tue, 26 Jul 2005 11:33:49 +0000 (GMT) (envelope-from simon@comsys.ntu-kpi.kiev.ua) Received: from comsys.ntu-kpi.kiev.ua (comsys.ntu-kpi.kiev.ua [195.245.194.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4C8A43D45 for ; Tue, 26 Jul 2005 11:33:43 +0000 (GMT) (envelope-from simon@comsys.ntu-kpi.kiev.ua) Received: from pm514-9.comsys.ntu-kpi.kiev.ua (pm514-9.comsys.ntu-kpi.kiev.ua [10.18.54.109]) (authenticated bits=0) by comsys.ntu-kpi.kiev.ua (8.12.10/8.12.10) with ESMTP id j6QBeW0R052857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Jul 2005 14:40:33 +0300 (EEST) Received: by pm514-9.comsys.ntu-kpi.kiev.ua (Postfix, from userid 1000) id 2EACD108; Tue, 26 Jul 2005 14:31:39 +0300 (EEST) From: Andrey Simonenko To: Valerio daelli In-Reply-To: <1122373423.00339461.1122362401@10.7.7.3> X-Newsgroups: lucky.freebsd.questions Message-Id: <20050726113139.2EACD108@pm514-9.comsys.ntu-kpi.kiev.ua> Date: Tue, 26 Jul 2005 14:31:39 +0300 (EEST) X-Spam-Status: No, score=-4.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on comsys.ntu-kpi.kiev.ua X-Virus-Scanned: ClamAV 0.82/989/Sat Jul 23 00:27:30 2005 on comsys.ntu-kpi.kiev.ua X-Virus-Status: Clean Cc: freebsd-questions@freebsd.org Subject: Re: PAM debug X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 11:33:49 -0000 On Tue, 26 Jul 2005 09:19:42 +0200 in lucky.freebsd.questions, Valerio daelli wrote: > Hello > we are having problems with PAM authenticating users on LDAP. > We have FreeBSD 5.3. > We would like to switch debugging. > If we put this line in /etc/pam.d/login > > auth sufficient pam_ldap.so debug try_first_pass > > nothing happens. According to pam_ldap/nss manual page debug does not work with pam_ldap/nss. When I debugged my pam_ldap/nss installation I used log file from OpenLDAP server and tcpdump. For the first time my connections were not TLS encrypted, so it was easy to read content of packets. In my environment I don't use bindpw and OpenLDAP sever does not send passwords in any form to clients. Instead everyone is able to read all fields from user dn, except his/her password, when a user tries to login pam_ldap sends password over TLS encrypted channel to OpenLDAP server. Does commands like "id bill" works on a system with ldap_nss? Have you tried to use ldapsearch to query your LDAP server from a client machine? Create syslog-log file for LDAP server (slapd in case of OpenLDAP) and check it. By the way how are you going to share user home directories? One way is to use NFS with quota on a server (on several servers). I'm not very happy with this solution, because NFS will export all fs to clients, if somebody break root, then he/she can gain access to any user home directory. There is pam_mount, with some modifications it can be build on FreeBSD 5.x. Has somebody tried it with Samba? What are alternatives for NFS + quota for systems which use pam_ldap? ps: sorry, for possible double posting.