On 26 February 2011 20:01, Tim Dunphy <[email protected]> wrote: > Hey list, > > I just wanted to follow up with my /usr/local/etc/ldap.conf file and > nsswitch file because I thought they might be helpful in dispensing > advice as to what is going on: > > uri ldap://LBSD2.summitnjhome.com > base ou=staff,ou=Group,dc=summitnjhome,dc=com > sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com > binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > bindpw secret > scope sub > pam_password exop > nss_base_passwd dc=summitnjhome,dc=com > nss_base_shadow dc=summitnjhome,dc=com > nss_base_group dc=summitnjhome,dc=com > nss_base_sudo dc=summitnjhome,dc=com > > > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > passwd: files ldap > passwd_compat: files ldap > group: files ldap > group_compat: nis > sudoers: ldap > hosts: files dns > networks: files > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > > On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <[email protected]> wrote: >> Hello List!! >> >> I have an OpenLDAP 2.4 server functioning very nicely that >> authenticates a network of (mostly virtual) centos 5.5 machines. >> >> But at the moment I am attempting to setup pam authentication for ssh >> via LDAP and having some difficulty. >> >> My /etc/pam.d/sshd file seems to be setup logically and correctly: >> >> # PAM configuration for the "sshd" service >> # >> >> # auth >> auth sufficient pam_opie.so no_warn >> no_fake_prompts >> auth requisite pam_opieaccess.so no_warn allow_local >> #auth sufficient pam_krb5.so no_warn >> try_first_pass >> #auth sufficient pam_ssh.so no_warn >> try_first_pass >> auth required pam_ldap.so >> #auth required pam_unix.so no_warn >> try_first_pass >> >> # account >> account required pam_nologin.so >> #account required pam_krb5.so >> account required pam_login_access.so >> account required pam_ldap.so >> #account required pam_unix.so >> >> # session >> #session optional pam_ssh.so >> session sufficient pam_ldap.so >> session required pam_permit.so >> >> # password >> #password sufficient pam_krb5.so no_warn >> try_first_pass >> password required pam_ldap.so >> #password required pam_unix.so no_warn >> try_first_pass >> >> >> And if I'm reading the logs correctly LDAP is searching for and >> finding the account information when I am making the login attempt: >> >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH >> base="dc=summitnjhome,dc=com" scope=2 deref=0 >> filter="(&(objectClass=posixAccount)(uidNumber=1001 >> ))" >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >> description objectCla >> ss >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: OR >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 >> first=106 last=137 >> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 >> first=106 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=106 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 >> last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=0 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 >> last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >> first=1 last=0 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT >> tag=101 err=0 nentries=0 text= >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >> Feb 26 19:52:54 LBSD2 slapd[54891]: >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >> error=-2 id=34715, closing. >> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >> conn=34715 sd=212 for close >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >> active_threads=0 tvp=NULL >> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection >> lost) >> >> >> But logins fail every time. Could someone offer an opinion as to what >> may be going on to prevent logging in via pam/sshd and LDAP? >> >> Thanks in advance! >> Tim >> >> -- >> GPG me!! >> >> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[email protected]" >
these are my files and are from a working setup # cat /usr/local/etc/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=XXX,dc=net URI ldap://XXX.net #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never ssl start_tls tls_cacert /usr/local/etc/openldap/ssl/cert.crt pam_login_attribute uid sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net bind_timelimit 1 timelimit 1 bind_policy soft nss_initgroups_ignoreusers root,slapd,krad # ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Jan 16 22:31 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf # nsswitch.conf group: cache files ldap [notfound=return] passwd: cache files ldap [notfound=return] these packages are installs nss_ldap-1.265_4 RFC 2307 NSS module openldap-client-2.4.23 Open source LDAP client implementation openldap-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.6 A pam module for authenticating with LDAP _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
