Hey list, I just wanted to follow up with my /usr/local/etc/ldap.conf file and nsswitch file because I thought they might be helpful in dispensing advice as to what is going on:
uri ldap://LBSD2.summitnjhome.com base ou=staff,ou=Group,dc=summitnjhome,dc=com sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw secret scope sub pam_password exop nss_base_passwd dc=summitnjhome,dc=com nss_base_shadow dc=summitnjhome,dc=com nss_base_group dc=summitnjhome,dc=com nss_base_sudo dc=summitnjhome,dc=com # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: files ldap passwd_compat: files ldap group: files ldap group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethu...@gmail.com> wrote: > Hello List!! > > I have an OpenLDAP 2.4 server functioning very nicely that > authenticates a network of (mostly virtual) centos 5.5 machines. > > But at the moment I am attempting to setup pam authentication for ssh > via LDAP and having some difficulty. > > My /etc/pam.d/sshd file seems to be setup logically and correctly: > > # PAM configuration for the "sshd" service > # > > # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth required pam_ldap.so > #auth required pam_unix.so no_warn try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_ldap.so > #account required pam_unix.so > > # session > #session optional pam_ssh.so > session sufficient pam_ldap.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn try_first_pass > password required pam_ldap.so > #password required pam_unix.so no_warn try_first_pass > > > And if I'm reading the logs correctly LDAP is searching for and > finding the account information when I am making the login attempt: > > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH > base="dc=summitnjhome,dc=com" scope=2 deref=0 > filter="(&(objectClass=posixAccount)(uidNumber=1001 > ))" > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectCla > ss > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: AND > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: OR > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: AND > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 > first=106 last=137 > Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 > first=106 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=106 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 > last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 > last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=1 last=0 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT > tag=101 err=0 nentries=0 text= > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: > Feb 26 19:52:54 LBSD2 slapd[54891]: > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input > error=-2 id=34715, closing. > Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying > conn=34715 sd=212 for close > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 > Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost) > > > But logins fail every time. Could someone offer an opinion as to what > may be going on to prevent logging in via pam/sshd and LDAP? > > Thanks in advance! > Tim > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
