From owner-freebsd-questions@FreeBSD.ORG Wed May 24 00:48:49 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F264A16A4E7 for ; Wed, 24 May 2006 00:48:48 +0000 (UTC) (envelope-from atom.powers@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BB8C43D46 for ; Wed, 24 May 2006 00:48:48 +0000 (GMT) (envelope-from atom.powers@gmail.com) Received: by nz-out-0102.google.com with SMTP id n1so2371840nzf for ; Tue, 23 May 2006 17:48:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sj/gkMlgPYmhSLDVcxe6eaxtUKK4qVXSWI8864X28v8pb5JIJvSYANFKmVx0G1A2RulwDmYFyvwN+cX3tOL3QiIvwz7YzZaVOpkreE53IxYbnpMrZ4q4A75k35sPf9dOIWf1t6GzSyK+WNZ0KhksW060k7Ybi3zwB9OI8WO+M8Q= Received: by 10.65.97.16 with SMTP id z16mr451707qbl; Tue, 23 May 2006 17:48:47 -0700 (PDT) Received: by 10.65.154.19 with HTTP; Tue, 23 May 2006 17:48:47 -0700 (PDT) Message-ID: Date: Tue, 23 May 2006 17:48:47 -0700 From: "Atom Powers" To: "Jason Lixfeld" In-Reply-To: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> Cc: FreeBSD Questions Mailing List Subject: Re: Trouble with nss|pam|openldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 00:48:50 -0000 On 5/23/06, Jason Lixfeld wrote: > I'm using openssh-portable and the latest versions of openldap, > pam_ldap and nss_ldap. It appears as though the system is using ... I'm not using ssh-portable, but I have it working with the built-in ssh. ... > user password, even after I enter it in. I tried putting the > pam_ldap lib in the password section of the /etc/pam.d/sshd file, but > that was useless too. Local users can ssh in fine. The pam.d config would be my first guess. What gets logged to all.log? > > I searched through the bugs and it seems there is a bug in nss_ldap > with regards to getpwuid, but that seems to be more if an indicator > about why finger doesn't work, not why ssh does't work > > # id testuser seems to work, finger doesn't. Curious. Anyway, it > still appears as though at least some portions of the system are > using LDAP, which is good. > $ id testuser > uid=3D2000(testuser) gid=3D2000(testuser) groups=3D2000(testuser) > $ finger testuser > finger: testuser: no such user > $ id works because it's using the name service to look up the user (you added ldap to your nsswitch.conf, right?) finger doesn't work because you don't have a /etc/pam.d/finger file. Either create one or add pam_ldap to your /etc/pam.d/system file. (I always create a new conf file for my ldap enabled apps) Here is my /etc/pam.d/sshd file, I use the exact same file for all my ldap enabled apps.: (if somebody sees a bug in there, or can suggest any improvement, by all means let me know.) -- # auth auth sufficient /usr/local/lib/pam_ldap.so auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_pro= mpts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_p= ass #auth sufficient pam_ssh.so no_warn try_first_p= ass auth required pam_unix.so no_warn try_first_p= ass # account account sufficient /usr/local/lib/pam_ldap.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_p= ass password required pam_unix.so no_warn try_first_p= ass --=20 -- Perfection is just a word I use occasionally with mustard. --Atom Powers--