From owner-freebsd-questions@FreeBSD.ORG Wed Oct 6 23:41:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC809106566C for ; Wed, 6 Oct 2010 23:41:12 +0000 (UTC) (envelope-from indexer@internode.on.net) Received: from mail.internode.on.net (bld-mail12.adl6.internode.on.net [150.101.137.97]) by mx1.freebsd.org (Postfix) with ESMTP id 64B0A8FC0A for ; Wed, 6 Oct 2010 23:41:11 +0000 (UTC) Received: from mai.dhcp.chocolate.lan (unverified [203.122.194.109]) by mail.internode.on.net (SurgeMail 3.8f2) with ESMTP id 41779722-1927428 for multiple; Thu, 07 Oct 2010 10:11:10 +1030 (CDT) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: Indexer In-Reply-To: <20101006233551.GA25366@lpthe.jussieu.fr> Date: Thu, 7 Oct 2010 10:11:04 +1030 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20101006233551.GA25366@lpthe.jussieu.fr> To: Michel Talon X-Pgp-Agent: GPGMail 1.2.3 X-Mailer: Apple Mail (2.1081) Cc: freebsd-questions@freebsd.org Subject: Re: LDAP Authentication from console X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2010 23:41:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2010, at 10:05 AM, Michel Talon wrote: >=20 > Kevin Mai wrote: >> Logins over ssh and sudo work great with ldap, but when I try to log = in >> from console, it prompts me twice for the password. >>=20 >> If I put a wrong password it prints out that it cannot bind to the = ldap >> server, what means that I'm being able to bind to ldap, but cannot = login >> for some reason. >=20 >=20 Can you send a copy of your /etc/pam.d/sshd and /etc/pam.d/system ? What = i think you have done is this auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient pam_krb5.so no_warn = try_first_pass=20 auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass Notice the try_first_pass options on krb5 and ldap? This will prompt for = the krb5 password then prompt again for the ldap password, and then fall = back to unix. It looks like this when you enter the wrong password Password: LDAP Password: Password LDAP Password: =20 etc .... In your case, you likely have something else, and not krb5, but editing = your file to appear like this will be of great help auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass You need to set ldap to try_first_pass, and unix to use_first_pass. This = will stop the "double prompting" Also of note, is that /etc/pam.d/login is an include of system. Thus = likely you have your system file setup wrong. Mine is a carbon copy of = my sshd file. Here it is here auth sufficient pam_opie.so no_warn = no_fake_prompts auth requisite pam_opieaccess.so no_warn = allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn = try_first_pass auth required pam_unix.so no_warn = use_first_pass #auth required pam_deny.so use_first_pass account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account optional pam_unix.so account required /usr/local/lib/pam_ldap.so = ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so #account optional pam_krb5.so #session required pam_mkhomedir.so skel=3D/etc/skel/ = umask=3D0022 password sufficient pam_unix.so no_warn = use_first_pass A few other hints Make sure your certificates have the correct CN, that matches your hosts = FQDN. You can specifiy them with the option tls_cacertfile and these DO = NOT need converting into any weird formats, just the standard output = from openssl will work.=20 @Michael If you plan to use LDAP groups to control access to be able to login to = a server, you need to change your ldap account line, as at this time it = will allow anyone through into the system. Regardless, what i have also = means that ldap is not checked for non ldap users.=20 Changing ldap passwords IS NOT POSSIBLE from the passwd binary. I cannot = remember why but it is not. You must use the ldappasswd utility.=20 Alot of basic help can be found here = http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html Sincerely, William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMrQkTAAoJEHF16AnLoz6JjmAP/2AnyWUT1EwoyAm8gAH6Qjoq WC0dSHnfuYzJiw8UM3Uhzdj4LXPNLFh/bqHsgFpDxO1OwyG8OnTv40NdR9506O7e BP0SmnADt9a8beLHM54jOfJsYHz0kH1bpHk4HkcA5zQEsl76H7IsF6m6tiFxTSII WLrXwHTN+Z6zpo80N7Ng9GGVCxrs68gU/JQFX58lIIkSlXe2kJ7W8DAcs2q2O13x 5VPl9x2bEYugRwggDLAWwD22ETL6BAjk+qr2+yG8yLKgsg/NTyPoBkdVhHCgOBw2 vt8IGxVeeau3MLvrm/c2+dK7i2Aw9FlB94EBZo5G2QM5AfzmTqtiLAeQ8sM2tQkD suqPijBB6aLmrnpbqjQxPgKQANv1szELBASC4qcCKHQFNeGtfueikRpgnVaGLrnq LMOEKpnnuJQ7OrW3TmY6vZFrnKm1QD1cniuJV2Hhb3FZ8JTTq/L2Ae9NHaPKlR3F 7pXcTTTo4hXUe9h9McSv7fUPbTFC9KU/ntc9XQDS+5TLyyMsN1tuaY506v3kTGWh wdczKBhrSLcwjvh3DUjrutaYg+oYQWOpNvzSOUAQgmLURZcb7zr0q6lstlzHzsZp 4z5jDn6sGUNHCZzzf/eRZjtR3bikQsBrfKgmuHGBVNjwpIzwAus1m1B4XeQ3lhTX xErK6nRRH75mS3igwcMa =3DqIai -----END PGP SIGNATURE-----