Date: Thu, 7 Oct 2010 10:11:04 +1030 From: Indexer <indexer@internode.on.net> To: Michel Talon <talon@lpthe.jussieu.fr> Cc: freebsd-questions@freebsd.org Subject: Re: LDAP Authentication from console Message-ID: <FA7CC805-70FC-4B2F-BCA9-2DB613C195A7@internode.on.net> In-Reply-To: <20101006233551.GA25366@lpthe.jussieu.fr> References: <20101006233551.GA25366@lpthe.jussieu.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2010, at 10:05 AM, Michel Talon wrote: >=20 > Kevin Mai wrote: >> Logins over ssh and sudo work great with ldap, but when I try to log = in >> from console, it prompts me twice for the password. >>=20 >> If I put a wrong password it prints out that it cannot bind to the = ldap >> server, what means that I'm being able to bind to ldap, but cannot = login >> for some reason. >=20 >=20 Can you send a copy of your /etc/pam.d/sshd and /etc/pam.d/system ? What = i think you have done is this auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient pam_krb5.so no_warn = try_first_pass=20 auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass Notice the try_first_pass options on krb5 and ldap? This will prompt for = the krb5 password then prompt again for the ldap password, and then fall = back to unix. It looks like this when you enter the wrong password Password: LDAP Password: Password LDAP Password: =20 etc .... In your case, you likely have something else, and not krb5, but editing = your file to appear like this will be of great help auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass You need to set ldap to try_first_pass, and unix to use_first_pass. This = will stop the "double prompting" Also of note, is that /etc/pam.d/login is an include of system. Thus = likely you have your system file setup wrong. Mine is a carbon copy of = my sshd file. Here it is here auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass #auth required pam_deny.so use_first_pass account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account optional pam_unix.so account required /usr/local/lib/pam_ldap.so = ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so #account optional pam_krb5.so #session required pam_mkhomedir.so skel=3D/etc/skel/ = umask=3D0022 password sufficient pam_unix.so no_warn = use_first_pass A few other hints Make sure your certificates have the correct CN, that matches your hosts = FQDN. You can specifiy them with the option tls_cacertfile and these DO = NOT need converting into any weird formats, just the standard output = from openssl will work.=20 @Michael If you plan to use LDAP groups to control access to be able to login to = a server, you need to change your ldap account line, as at this time it = will allow anyone through into the system. Regardless, what i have also = means that ldap is not checked for non ldap users.=20 Changing ldap passwords IS NOT POSSIBLE from the passwd binary. I cannot = remember why but it is not. You must use the ldappasswd utility.=20 Alot of basic help can be found here = http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html Sincerely, William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMrQkTAAoJEHF16AnLoz6JjmAP/2AnyWUT1EwoyAm8gAH6Qjoq WC0dSHnfuYzJiw8UM3Uhzdj4LXPNLFh/bqHsgFpDxO1OwyG8OnTv40NdR9506O7e BP0SmnADt9a8beLHM54jOfJsYHz0kH1bpHk4HkcA5zQEsl76H7IsF6m6tiFxTSII WLrXwHTN+Z6zpo80N7Ng9GGVCxrs68gU/JQFX58lIIkSlXe2kJ7W8DAcs2q2O13x 5VPl9x2bEYugRwggDLAWwD22ETL6BAjk+qr2+yG8yLKgsg/NTyPoBkdVhHCgOBw2 vt8IGxVeeau3MLvrm/c2+dK7i2Aw9FlB94EBZo5G2QM5AfzmTqtiLAeQ8sM2tQkD suqPijBB6aLmrnpbqjQxPgKQANv1szELBASC4qcCKHQFNeGtfueikRpgnVaGLrnq LMOEKpnnuJQ7OrW3TmY6vZFrnKm1QD1cniuJV2Hhb3FZ8JTTq/L2Ae9NHaPKlR3F 7pXcTTTo4hXUe9h9McSv7fUPbTFC9KU/ntc9XQDS+5TLyyMsN1tuaY506v3kTGWh wdczKBhrSLcwjvh3DUjrutaYg+oYQWOpNvzSOUAQgmLURZcb7zr0q6lstlzHzsZp 4z5jDn6sGUNHCZzzf/eRZjtR3bikQsBrfKgmuHGBVNjwpIzwAus1m1B4XeQ3lhTX xErK6nRRH75mS3igwcMa =3DqIai -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FA7CC805-70FC-4B2F-BCA9-2DB613C195A7>