Date: Wed, 24 May 2006 10:16:15 -0400 From: Jason Lixfeld <jason+lists.freebsd-questions@lixfeld.ca> To: Atom Powers <atom.powers@gmail.com> Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Trouble with nss|pam|openldap Message-ID: <71C11F58-32D9-4EBF-B35E-F1730184B706@lixfeld.ca> In-Reply-To: <df9ac37c0605231748n4e3abbb4he8829f2edfe264dc@mail.gmail.com> References: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca> <df9ac37c0605231748n4e3abbb4he8829f2edfe264dc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23-May-06, at 8:48 PM, Atom Powers wrote: > On 5/23/06, Jason Lixfeld <jason+lists.freebsd- > questions@lixfeld.ca> wrote: >> I'm using openssh-portable and the latest versions of openldap, >> pam_ldap and nss_ldap. It appears as though the system is using > ... > > I'm not using ssh-portable, but I have it working with the built-in > ssh. built-in works? Interesting. Reason I'm using -portable was because I read that the built-in ssh didn't support PAM. I will try the built-in and see what happens. > ... >> user password, even after I enter it in. I tried putting the >> pam_ldap lib in the password section of the /etc/pam.d/sshd file, but >> that was useless too. Local users can ssh in fine. > > The pam.d config would be my first guess. What gets logged to all.log? I have no all.log currently. The only thing showing up in messages though is: May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP server - Server is unavailable That error seems to creep up only when I restart slapd though. >> >> I searched through the bugs and it seems there is a bug in nss_ldap >> with regards to getpwuid, but that seems to be more if an indicator >> about why finger doesn't work, not why ssh does't work >> >> # id testuser seems to work, finger doesn't. Curious. Anyway, it >> still appears as though at least some portions of the system are >> using LDAP, which is good. >> $ id testuser >> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) >> $ finger testuser >> finger: testuser: no such user >> $ > > id works because it's using the name service to look up the user (you > added ldap to your nsswitch.conf, right?) > > finger doesn't work because you don't have a /etc/pam.d/finger file. > Either create one or add pam_ldap to your /etc/pam.d/system file. (I > always create a new conf file for my ldap enabled apps) Interesting. Finger *did* work during some of my first attempts at getting this working. I changed something (I don't recall what) and then finger stopped working. > Here is my /etc/pam.d/sshd file, I use the exact same file for all my > ldap enabled apps.: > (if somebody sees a bug in there, or can suggest any improvement, by > all means let me know.) > -- > > # auth > auth sufficient /usr/local/lib/pam_ldap.so > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn > allow_local > #auth sufficient pam_krb5.so no_warn > try_first_pass > #auth sufficient pam_ssh.so no_warn > try_first_pass > auth required pam_unix.so no_warn > try_first_pass > > # account > account sufficient /usr/local/lib/pam_ldap.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_unix.so > > # session > #session optional pam_ssh.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn > try_first_pass > password required pam_unix.so no_warn > try_first_pass This seems to all work now with built-in ssh. How strange. Now, I seem to have hit another snag and a bug (Both of which I remember reading about this in my travels:) $id testuser id: testuser: no such user # sudo su Password: # id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) # cd ~testuser # pwd /usr/home/testuser #ssh testuser@localhost %id testuser id: testuser: no such user %pwd /usr/home/testuser %ls -al Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193. Abort (core dumped) % > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71C11F58-32D9-4EBF-B35E-F1730184B706>