Date: Tue, 23 May 2006 19:37:53 -0400 From: Jason Lixfeld <jason+lists.freebsd-questions@lixfeld.ca> To: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Trouble with nss|pam|openldap Message-ID: <7DAD87F3-C2BD-4776-A98A-6EFDAD335594@lixfeld.ca>
next in thread | raw e-mail | index | archive | help
I'm using openssh-portable and the latest versions of openldap, pam_ldap and nss_ldap. It appears as though the system is using ldap, but I can't seem to ssh in as an LDAP user. I get a permission denied. ssh debugs don't show anything useful and openldap debugs don't seem to show any activity when I enter the password, but it does show activity when I initially perform the ssh connection. That seems strange to me because I don't see a query in the debugs for the user password, even after I enter it in. I tried putting the pam_ldap lib in the password section of the /etc/pam.d/sshd file, but that was useless too. Local users can ssh in fine. I searched through the bugs and it seems there is a bug in nss_ldap with regards to getpwuid, but that seems to be more if an indicator about why finger doesn't work, not why ssh does't work (http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/91806) Anyone see anything that strikes them as why this may not work? $ pkg_info nss_ldap-1.249 RFC 2307 NSS module openldap-client-2.3.23 Open source LDAP client implementation openldap-server-2.3.23 Open source LDAP server implementation pam_ldap-1.8.0 A pam module for authenticating with LDAP php5-ldap-5.1.4 The ldap shared extension for php phpldapadmin-1.0.1,1 A set of PHP-scripts to administer LDAP over the web openssh-portable-4.3.p2_1,1 The portable version of OpenBSD's OpenSSH $ uname -srm FreeBSD 6.1-RELEASE amd64 # /usr/local/etc/nss_ldap|ldap.conf: base dc=example,dc=com uri ldap://127.0.0.1/ binddn cn=Manager,dc=example,dc=com bindpw sillypassword bind_timelimit 10 bind_policy soft nss_connect_policy oneshot pam_filter objectclass=posixaccount pam_login_attribute uid pam_password ssha nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=groups,dc=example,dc=com?one # id testuser seems to work, finger doesn't. Curious. Anyway, it still appears as though at least some portions of the system are using LDAP, which is good. $ id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) $ finger testuser finger: testuser: no such user $ # /etc/pam.d/sshd auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so debug auth required pam_unix.so no_warn try_first_pass account required pam_login_access.so account required pam_unix.so session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass # user/group data: dn: cn=Test User,ou=people,dc=example,dc=com cn: Test User sn: Dummy objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount uid: testuser uidNumber: 2000 gidNumber: 2000 gecos: TestUser loginShell: /bin/csh userPassword:: e01ENX1YWnhveHNVTzA5QXFMODlVOWptVHRnPT0= homeDirectory: /home/testuser dn: cn=testuser,ou=groups,dc=example,dc=com objectClass: top objectClass: posixGroup gidNumber: 2000 memberUid: testuser cn: testuser # ssh attempt: $ ssh testuser@192.168.100.200 testuser@192.168.100.200's password: Permission denied, please try again.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7DAD87F3-C2BD-4776-A98A-6EFDAD335594>