On Thu, May 12, 2005 at 05:11:03PM -0500, Benjamin J Doherty wrote: > I've been struggling with pam_ldap for three days now and cannot see > what I am doing wrong. I'm trying to use OpenLDAP for > authentication, though I threw nss_ldap in for good measure. What's > so baffling to me is that I can add a new user to the directory and > verify its existence using "id" but SSH refuses to bind.
I couldn't spot any references to pam.d/sshd anywhere else in your post. To allow sshd to authenticate via pam_ldap you need to have the lines: auth sufficient pam_ldap.so no_warn try_first_pass account sufficient pam_ldap.so password sufficient pam_ldap.so no_warn try_first_pass I think just the auth line will do but the rest seem helpful too. To go a little further than that, I have my pam.d/passwd file configured: password sufficient pam_unix.so no_warn try_first_pass nullok password sufficient pam_ldap.so no_warn use_first_pass pam.d/system: auth sufficient pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok password sufficient pam_ldap.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pas You can apply the following patch to /usr/src/usr.bin/passwd/passwd.c to allow passwd to be used to change passwords via pam_ldap (it also works for pam_unix) (see http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/71290): ***BEGIN --- passwd.c.orig Wed Mar 9 03:20:02 2005 +++ passwd.c Wed Mar 9 03:20:29 2005 @@ -120,9 +120,8 @@ pwd->pw_name); break; default: - /* XXX: Green men ought to be supported via PAM. */ - errx(1, - "Sorry, `passwd' can only change passwords for local or NIS users."); + fprintf(stderr, "Changing LDAP password for %s\n", + pwd->pw_name); } #define pam_check(func) do { \ ***END To use passwd you will also need to configure your /usr/local/etc/ldap.conf file by setting: pam_password exop and at the server-side set: password-hash to whatever you want (SMD5 is good!) in /usr/local/etc/openldap/slapd.conf. It took me a good deal of time and effort to bring all those things together and I have them sat in a non-publicly available wiki. You can find a very good tutorial which should cover most of this (I think) at http://books.blurgle.ca/read/book/1 -- unlike other tutorials this one is dedicated to FreeBSD (and I even got my name in the credits ;). chsh doesn't work so I came up with this very simple shell script (it's probably not great and no doubt could be greatly improved): *** BEGIN #!/bin/sh # is shell specified? if test ! $1; then echo "Usage: $0 newshell" exit 1 fi # is shell listed in /etc/shells? grep -w "$1" /etc/shells > /dev/null if test $? -ne 0; then echo "That shell is not listed in /etc/shells." exit 1 fi # attempt modify user=`whoami` ldapmodify -D "uid=$user,ou=People,dc=domain,dc=com" -x -W >&- <<EOT dn: uid=$user,ou=People,dc=domain,dc=com changetype: modify replace: loginShell loginShell: $1 EOT if test $? -eq 0; then echo "Shell changed successfully." else echo "A problem occurred changing your shell. Please contact [EMAIL PROTECTED] for assistance." fi *** END To use that just place it over /usr/bin/chsh (WARNING! THIS COULD BE BAD! :) I hope that's some help. Good luck! -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
