From owner-freebsd-questions@FreeBSD.ORG Tue Mar 25 14:41:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D33A106564A for ; Tue, 25 Mar 2008 14:41:44 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 572E98FC1E for ; Tue, 25 Mar 2008 14:41:44 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from [192.168.2.161] (soundwave.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.161]) by wingspan with esmtp; Tue, 25 Mar 2008 10:41:45 -0400 id 00056413.47E90F29.000110CE From: "Brian A. Seklecki" To: Frank Bonnet In-Reply-To: <47E90D72.3060909@esiee.fr> References: <47E90D72.3060909@esiee.fr> Organization: Collaborative Fusion, Inc. Date: Tue, 25 Mar 2008 10:41:43 -0400 Message-Id: <1206456103.18298.88.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.12.3 (2.12.3-3.fc8) Cc: freebsd-questions@freebsd.org Subject: Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bseklecki@collaborativefusion.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 14:41:44 -0000 The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: seklecki@fucksake:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "sshd" service # # auth #auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: > Hello > > I can't get a working sshd access using pam_ldap and nss_ldap > > /etc/nsswitch.conf is OK > > but I'm having difficulties to configure pam_ldap for a ssh access > on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure > the /etc/pam.d/sshd file but haven't any success (sigh!) > > Anyone could helps ? > > Thanks a lot ! > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Brian A. Seklecki Collaborative Fusion, Inc.