From owner-freebsd-questions@FreeBSD.ORG Fri Mar 18 16:03:02 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 324331065670 for ; Fri, 18 Mar 2011 16:03:02 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id D4B2C8FC17 for ; Fri, 18 Mar 2011 16:03:01 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email2.allantgroup.com (8.14.4/8.14.4) with ESMTP id p2IG2wKg057230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Mar 2011 11:02:58 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.4/8.14.4) with ESMTP id p2IG2wBU039264 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Mar 2011 11:02:58 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.4/8.14.4/Submit) id p2IG2v4M039238; Fri, 18 Mar 2011 11:02:57 -0500 (CDT) (envelope-from dan) Date: Fri, 18 Mar 2011 11:02:57 -0500 From: Dan Nelson To: "O. Hartmann" Message-ID: <20110318160257.GD44561@dan.emsphone.com> References: <4D833D3C.7080804@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D833D3C.7080804@zedat.fu-berlin.de> X-OS: FreeBSD 8.2-PRERELEASE User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.97 at email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (email2.allantgroup.com [199.67.51.78]); Fri, 18 Mar 2011 11:02:58 -0500 (CDT) X-Scanned-By: MIMEDefang 2.68 on 199.67.51.78 Cc: freebsd-questions@freebsd.org Subject: Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2011 16:03:02 -0000 In the last episode (Mar 18), O. Hartmann said: > I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent > OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an > UBUNTU 10.10 server (using openldap 2.4.23). > > Most of the installation on the Ubuntu server has been successfully done > (I'm not familiar with Linux, but it seems that things like pam and ldap > are quite similar to FreeBSD's installation). > > From the Linux/Ubuntu server, I'm able to get all users and groups via > 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up > user is successfully. > > But when it comes to a login via sshd, login fails with this error > (loged on Linux Ubuntu in /var/log/auth.log): > > Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 > Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) "Confidentiality required" means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your "uri" lines to ldaps:// or add the line "ssl on") and see if that works. -- Dan Nelson dnelson@allantgroup.com