Date: Fri, 13 May 2005 02:45:00 +0100 From: Lewis Thompson <lewiz@compsoc.man.ac.uk> To: Benjamin J Doherty <bjd@pobox.com> Cc: freebsd-questions@freebsd.org Subject: Re: baffled by pam_ldap Message-ID: <20050513014500.GA70297@noisy.compsoc.man.ac.uk> In-Reply-To: <4641B75A-1B28-4319-89FB-F92BFFB57E9A@pobox.com> References: <4641B75A-1B28-4319-89FB-F92BFFB57E9A@pobox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 12, 2005 at 05:11:03PM -0500, Benjamin J Doherty wrote: > I've been struggling with pam_ldap for three days now and cannot see > what I am doing wrong. I'm trying to use OpenLDAP for > authentication, though I threw nss_ldap in for good measure. What's > so baffling to me is that I can add a new user to the directory and > verify its existence using "id" but SSH refuses to bind. I couldn't spot any references to pam.d/sshd anywhere else in your post. To allow sshd to authenticate via pam_ldap you need to have the lines: auth sufficient pam_ldap.so no_warn try_first_pass account sufficient pam_ldap.so password sufficient pam_ldap.so no_warn try_first_pass I think just the auth line will do but the rest seem helpful too. To go a little further than that, I have my pam.d/passwd file configured: password sufficient pam_unix.so no_warn try_first_pass nullok password sufficient pam_ldap.so no_warn use_first_pass pam.d/system: auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok password sufficient pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pas You can apply the following patch to /usr/src/usr.bin/passwd/passwd.c to allow passwd to be used to change passwords via pam_ldap (it also works for pam_unix) (see http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/71290): ***BEGIN --- passwd.c.orig Wed Mar 9 03:20:02 2005 +++ passwd.c Wed Mar 9 03:20:29 2005 @@ -120,9 +120,8 @@ pwd->pw_name); break; default: - /* XXX: Green men ought to be supported via PAM. */ - errx(1, - "Sorry, `passwd' can only change passwords for local or NIS users."); + fprintf(stderr, "Changing LDAP password for %s\n", + pwd->pw_name); } #define pam_check(func) do { \ ***END To use passwd you will also need to configure your /usr/local/etc/ldap.conf file by setting: pam_password exop and at the server-side set: password-hash to whatever you want (SMD5 is good!) in /usr/local/etc/openldap/slapd.conf. It took me a good deal of time and effort to bring all those things together and I have them sat in a non-publicly available wiki. You can find a very good tutorial which should cover most of this (I think) at http://books.blurgle.ca/read/book/1 -- unlike other tutorials this one is dedicated to FreeBSD (and I even got my name in the credits ;). chsh doesn't work so I came up with this very simple shell script (it's probably not great and no doubt could be greatly improved): *** BEGIN #!/bin/sh # is shell specified? if test ! $1; then echo "Usage: $0 newshell" exit 1 fi # is shell listed in /etc/shells? grep -w "$1" /etc/shells > /dev/null if test $? -ne 0; then echo "That shell is not listed in /etc/shells." exit 1 fi # attempt modify user=`whoami` ldapmodify -D "uid=$user,ou=People,dc=domain,dc=com" -x -W >&- <<EOT dn: uid=$user,ou=People,dc=domain,dc=com changetype: modify replace: loginShell loginShell: $1 EOT if test $? -eq 0; then echo "Shell changed successfully." else echo "A problem occurred changing your shell. Please contact admin@domain.com for assistance." fi *** END To use that just place it over /usr/bin/chsh (WARNING! THIS COULD BE BAD! :) I hope that's some help. Good luck! -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050513014500.GA70297>