FreeBSD Mail Archives

Date:      Fri, 1 Oct 2004 09:59:22 -0500
From:      "Bret Walker" <bret-walker@northwestern.edu>
To:        "'Dick Davies'" <rasputnik@hellooperator.net>
Cc:        'FreeBSD Questions' <freebsd-questions@freebsd.org>
Subject:   RE: Pam_ldap
Message-ID:  <00fd01c4a7c7$3f5a27a0$b1336981@medill.northwestern.edu>
In-Reply-To: <20041001144031.GF29161@lb.tenfour>


[-- Attachment #1 --]
The query you gave me worked.  I was able to see real name, home dir, ect.
I'm assuming since I can get that info, that I should be able to verify a
password too.

In my /usr/local/etc/ldap.conf file, I had binddb not bingdn.  Upon
changing this, I now get a different pam error.

It says:
"error: PAM: Authentication failure"

One step closer..



-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Dick Davies
Sent: Friday, October 01, 2004 9:41 AM
To: Bret Walker
Cc: FreeBSD Questions
Subject: Re: Pam_ldap


* Bret Walker <bret-walker@northwestern.edu> [1023 15:23]:
> I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf


The one in /etc isn't doing anything, so get rid of it.

The  /usr/local/etc/ldap.conf should be holding the ad stuff
(what user to bind as , etc).

> I am able to log into the console as these users using the local
> password, but not using the ldap password.  All of my pam info is in
> /etc/pam.conf, I don't have /etc/pam.d.

Then you're on 4.X right? Shouldn't stop this working.

>
> sshd	auth	sufficient	pam_skey.so
> sshd	auth	sufficient	pam_opie.so		no_fake_prompts
> sshd	auth	sufficient	pam_unix.so		try_first_pass
> sshd	auth	sufficient	/usr/local/lib/pam_ldap.so
> try_first_pass debug
> sshd	account	required	pam_unix.so
> sshd	password	required	pam_permit.so
> sshd	session	required	pam_permit.co
>
>
> All I see in the logs are messages saying:
> "error: PAM: User not known to the underlying authentication module"

Right, so sshd is using pam. That's something.

The error could mean several things, one of which is that the user doesn't
exist.

If you look through your ldap.conf, you  should have enough info to
pretend to be PAM.

use ldapsearch and try

ldapsearch -H "ldap://<host from ldap.conf> -D "<binddn from ldap.conf>"
-W \
  <pam_login_attribute from ldap.conf>=username

and enter the bindpw from ldap.conf

If you don't get the AD account  back, then your ldap.conf is screwed.

> I'm pretty sure the ldap.conf files are correct, because I've followed
> the instructions from several places to the T.

"The nice thing about definitive LDAP howtos is there are so many to
choose from" :)

--
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
���0�a0�ʠ�p0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
040727230335Z
050727230335Z0N10UThawte Freemail Member1+0)	*�H��
	bret-walker@northwestern.edu0��0
	*�H��
��0�����جYs K7�6�(Z����µM�f��G�RZ9,�2^,�Y�:F닳�t^��R�%�qL	��t!�� �a��.�m����S�S|�P�ұiA���R���,�ÿ[�)�f/�K΀���9070'U 0�bret-walker@northwestern.edu0U�00
	*�H��
��^��!�^4�_K)ՙ��x-�-&Y�j~g�=�֟�lGxv�d��	��>N��{�o�$Ϲ5R��\���y�IZ�3�S�j�������['&J�6Y��j�=#/c�f�v���ә�KA�E*8Z�0�-0���0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
960101000000Z
201231235959Z0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0��0
	*�H��
��0�����i�԰�d[q�G�Q��r���^}-
�{߅%u(t:B,c'��{K�~���ݹΖd�nD�|��Mq@8���x����^���^v���]nz|�KU)��&�j�8$j�Ǳڣ���y��Z���00U�0�0
	*�H��
����~N����gb*��M`�o�`Xa�&�R5\�0��J��bB#���d��G)ߝ�^�l`q\���y��nG�
(�������|���_#&	��s��C��%��/�����u��Q�k����w��0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1��0��0i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA�p0	+���0	*�H��
	1	*�H��
0	*�H��
	1
041001145921Z0#	*�H��
	1?�W!q=1��� S�
(��0g	*�H��
	1Z0X0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0+0
*�H��
0x	+�71k0i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA�p0z*�H��
	1k�i0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA�p0
	*�H��
��[�9긡Qd�U���I�W�f�1U�ډnpʔ��u�j�㾐�vZ�AROR�q����/�p���m��
�Q��JH�ݴ���J�d��(����ѻ�x����ej�/Ibxw�R�;ɾ>���a�ypu�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00fd01c4a7c7$3f5a27a0$b1336981>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation