Date: Wed, 6 Oct 2010 23:35:51 +0000 From: Michel Talon <talon@lpthe.jussieu.fr> To: freebsd-questions@freebsd.org Subject: Re: LDAP Authentication from console Message-ID: <20101006233551.GA25366@lpthe.jussieu.fr>
next in thread | raw e-mail | index | archive | help
Kevin Mai wrote: > Logins over ssh and sudo work great with ldap, but when I try to log in > from console, it prompts me twice for the password. > > If I put a wrong password it prints out that it cannot bind to the ldap > server, what means that I'm being able to bind to ldap, but cannot login > for some reason. I went through that recently so i can share what i have done: . First don't forget to configure /usr/local/etc/nss_ldap.conf This was not mentioned in the doc i had found on the web, i had to run truss to discover why authentification was not working. . Second for some strange reason the certificates in cacertir have to be named in specific way. I have found this hint on the web, and it worked for me: ln -s someCA.pem `openssl x509 -in someCA.pem -noout -hash`.0 (of course i have tls_cacertdir /usr/local/etc/openldap/certs in the 3 ldap config files) When ldapsearch finally worked OK, i had to play with the pam files. The file "login" in /etc/pam.d in fact includes "system" which needs to be tuned. Now the following works but i don't pretend it is optimal or secure, i am not a pam expert. But it allows me to enter the console either as a local user or a ldap user and stops unauthenticated users. But something is not polished enough since changing passwds is not managed, apparently (the passwd section below). The order of the stuff is important, choosing between sufficient and required is important, the try_first_pass is important (it gets passwd from the previous ldap query for ldap users), etc. it is a big mess. For sshd i used what i have found in the web documentation, it works but seems quite complicated. niobe% cat system # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.4.1 2010/06/14 02:09:06 # kensmith # Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn auth sufficient pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so no_warn account sufficient pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so no_warn password sufficient pam_unix.so no_warn try_first_pass -- Michel TALON
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101006233551.GA25366>