Date: Sun, 27 Feb 2011 11:05:36 +0000 From: krad <kraduk@gmail.com> To: Tim Dunphy <bluethundr@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pam ssh authentication via ldap Message-ID: <AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B@mail.gmail.com> In-Reply-To: <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com> References: <AANLkTi=1fA6_6AnyFt2KoMjW=7-THzkkY3rq=QJf8RQ0@mail.gmail.com> <AANLkTimLBHNKXxBK==Ffno7_5Q8fKyuPV%2B6XOtmonDA5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 February 2011 20:01, Tim Dunphy <bluethundr@gmail.com> wrote: > Hey list, > > I just wanted to follow up with my /usr/local/etc/ldap.conf file and > nsswitch file because I thought they might be helpful in dispensing > advice as to what is going on: > > uri ldap://LBSD2.summitnjhome.com > base ou=staff,ou=Group,dc=summitnjhome,dc=com > sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com > binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > bindpw secret > scope sub > pam_password exop > nss_base_passwd dc=summitnjhome,dc=com > nss_base_shadow dc=summitnjhome,dc=com > nss_base_group dc=summitnjhome,dc=com > nss_base_sudo dc=summitnjhome,dc=com > > > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > passwd: files ldap > passwd_compat: files ldap > group: files ldap > group_compat: nis > sudoers: ldap > hosts: files dns > networks: files > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > > On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr@gmail.com> wrote: >> Hello List!! >> >> I have an OpenLDAP 2.4 server functioning very nicely that >> authenticates a network of (mostly virtual) centos 5.5 machines. >> >> But at the moment I am attempting to setup pam authentication for ssh >> via LDAP and having some difficulty. >> >> My /etc/pam.d/sshd file seems to be setup logically and correctly: >> >> # PAM configuration for the "sshd" service >> # >> >> # auth >> auth sufficient pam_opie.so no_warn no_fake_prompts >> auth requisite pam_opieaccess.so no_warn allow_local >> #auth sufficient pam_krb5.so no_warn try_first_pass >> #auth sufficient pam_ssh.so no_warn try_first_pass >> auth required pam_ldap.so >> #auth required pam_unix.so no_warn try_first_pass >> >> # account >> account required pam_nologin.so >> #account required pam_krb5.so >> account required pam_login_access.so >> account required pam_ldap.so >> #account required pam_unix.so >> >> # session >> #session optional pam_ssh.so >> session sufficient pam_ldap.so >> session required pam_permit.so >> >> # password >> #password sufficient pam_krb5.so no_warn try_first_pass >> password required pam_ldap.so >> #password required pam_unix.so no_warn try_first_pass >> >> >> And if I'm reading the logs correctly LDAP is searching for and >> finding the account information when I am making the login attempt: >> >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH >> base="dc=summitnjhome,dc=com" scope=2 deref=0 >> filter="(&(objectClass=posixAccount)(uidNumber=1001 >> ))" >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >> description objectCla >> ss >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: OR >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 >> first=106 last=137 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 >> first=106 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=106 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=1 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT >> tag=101 err=0 nentries=0 text= >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >> Feb 26 19:52:54 LBSD2 slapd[54891]: >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >> error=-2 id=34715, closing. >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >> conn=34715 sd=212 for close >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost) >> >> >> But logins fail every time. Could someone offer an opinion as to what >> may be going on to prevent logging in via pam/sshd and LDAP? >> >> Thanks in advance! >> Tim >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > these are my files and are from a working setup # cat /usr/local/etc/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=XXX,dc=net URI ldap://XXX.net #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls tls_cacert /usr/local/etc/openldap/ssl/cert.crt pam_login_attribute uid sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net bind_timelimit 1 timelimit 1 bind_policy soft nss_initgroups_ignoreusers root,slapd,krad # ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Jan 16 22:31 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf # nsswitch.conf group: cache files ldap [notfound=return] passwd: cache files ldap [notfound=return] these packages are installs nss_ldap-1.265_4 RFC 2307 NSS module openldap-client-2.4.23 Open source LDAP client implementation openldap-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.6 A pam module for authenticating with LDAP
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=qR1HhTmiEYO16_qFgqdER2h4sUqKjmPT65Zs%2B>