Hello Krad and thank you for your reply!
Well it seems that I am still unable to login to this machine using an LDAP account. I have tried applying the configurations you have provided and the result doesn't seem to have changed just yet. Here is my /usr/local/etc/ldap.conf file uri ldap://LBSD2.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw secret scope sub ssl start tls tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt pam_login_attribute uid bind_timelimit 1 timelimit 1 bind_policy soft pam_password exop nss_base_passwd dc=summitnjhome,dc=com nss_base_shadow dc=summitnjhome,dc=com nss_base_group dc=summitnjhome,dc=com nss_base_sudo dc=summitnjhome,dc=com nss_initgroups_ignoreusers root,slapd #ls -l /usr/local/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 24 Feb 28 00:10 /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf #cat /usr/local/etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # passwd: cache files ldap [notfound=return] passwd_compat: files ldap group: cache files ldap [notfound = return] group_compat: nis sudoers: ldap hosts: files dns networks: files shells: files services: compat services_compat: nis protocols: files rpc: files Here is my slapd.conf file: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/sudo.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org loglevel 296 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.key TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb # moduleload back_hdb # moduleload back_ldap # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read access to * by read access to attrs=userPassword by self write by anonymous auth access to * by self write by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" write by users read by anonymous auth access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=summitnjhome,dc=com" rootdn "cn=Manager,dc=summitnjhome,dc=com" rootpw {SSHA}secret # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/summitnjhome.com # Indices to maintain index objectClass,uid,uidNumber eq index sudoUser eq these are the packages I have installed nss_ldap-1.265_4 RFC 2307 NSS module openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP And this is what happens in the ldap logs after making those changes: Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH base="dc=summitnjhome,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1001))" Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: OR Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 first=106 last=137 Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=106 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 first=106 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 first=1 last=0 Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on: Feb 26 19:58:43 LBSD2 slapd[54891]: 425r Feb 26 19:58:43 LBSD2 slapd[54891]: Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425 Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: AND Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 This is what's going on in the secure logs: Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for user root by bluethundr(uid=10001) And this is my /etc/pam.d/sshd file: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_ldap.so #auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_ldap.so #account required pam_unix.so # session #session optional pam_ssh.so session sufficient pam_ldap.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_ldap.so #password required pam_unix.so no_warn try_first_pass I really appreciate your input Krad and I appreciate any advice anyone may have thanks tim On Sun, Feb 27, 2011 at 6:10 AM, krad <[email protected]> wrote: > On 27 February 2011 11:05, krad <[email protected]> wrote: >> On 26 February 2011 20:01, Tim Dunphy <[email protected]> wrote: >>> Hey list, >>> >>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >>> nsswitch file because I thought they might be helpful in dispensing >>> advice as to what is going on: >>> >>> uri ldap://LBSD2.summitnjhome.com >>> base ou=staff,ou=Group,dc=summitnjhome,dc=com >>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com >>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com >>> bindpw secret >>> scope sub >>> pam_password exop >>> nss_base_passwd dc=summitnjhome,dc=com >>> nss_base_shadow dc=summitnjhome,dc=com >>> nss_base_group dc=summitnjhome,dc=com >>> nss_base_sudo dc=summitnjhome,dc=com >>> >>> >>> # nsswitch.conf(5) - name service switch configuration file >>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >>> kensmith Exp $ >>> # >>> passwd: files ldap >>> passwd_compat: files ldap >>> group: files ldap >>> group_compat: nis >>> sudoers: ldap >>> hosts: files dns >>> networks: files >>> shells: files >>> services: compat >>> services_compat: nis >>> protocols: files >>> rpc: files >>> >>> >>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <[email protected]> wrote: >>>> Hello List!! >>>> >>>> I have an OpenLDAP 2.4 server functioning very nicely that >>>> authenticates a network of (mostly virtual) centos 5.5 machines. >>>> >>>> But at the moment I am attempting to setup pam authentication for ssh >>>> via LDAP and having some difficulty. >>>> >>>> My /etc/pam.d/sshd file seems to be setup logically and correctly: >>>> >>>> # PAM configuration for the "sshd" service >>>> # >>>> >>>> # auth >>>> auth sufficient pam_opie.so no_warn >>>> no_fake_prompts >>>> auth requisite pam_opieaccess.so no_warn allow_local >>>> #auth sufficient pam_krb5.so no_warn >>>> try_first_pass >>>> #auth sufficient pam_ssh.so no_warn >>>> try_first_pass >>>> auth required pam_ldap.so >>>> #auth required pam_unix.so no_warn >>>> try_first_pass >>>> >>>> # account >>>> account required pam_nologin.so >>>> #account required pam_krb5.so >>>> account required pam_login_access.so >>>> account required pam_ldap.so >>>> #account required pam_unix.so >>>> >>>> # session >>>> #session optional pam_ssh.so >>>> session sufficient pam_ldap.so >>>> session required pam_permit.so >>>> >>>> # password >>>> #password sufficient pam_krb5.so no_warn >>>> try_first_pass >>>> password required pam_ldap.so >>>> #password required pam_unix.so no_warn >>>> try_first_pass >>>> >>>> >>>> And if I'm reading the logs correctly LDAP is searching for and >>>> finding the account information when I am making the login attempt: >>>> >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH >>>> base="dc=summitnjhome,dc=com" scope=2 deref=0 >>>> filter="(&(objectClass=posixAccount)(uidNumber=1001 >>>> ))" >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid >>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>>> description objectCla >>>> ss >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>> first=0 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 >>>> first=106 last=137 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>> first=0 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 >>>> first=106 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>> first=106 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 >>>> last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>> first=0 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 >>>> last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>> first=1 last=0 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT >>>> tag=101 err=0 nentries=0 text= >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>>> error=-2 id=34715, closing. >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>>> conn=34715 sd=212 for close >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>> active_threads=0 tvp=NULL >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection >>>> lost) >>>> >>>> >>>> But logins fail every time. Could someone offer an opinion as to what >>>> may be going on to prevent logging in via pam/sshd and LDAP? >>>> >>>> Thanks in advance! >>>> Tim >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> >>> >>> >>> >>> -- >>> GPG me!! >>> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>> _______________________________________________ >>> [email protected] mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "[email protected]" >>> >> >> >> >> these are my files and are from a working setup >> >> # cat /usr/local/etc/ldap.conf >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> BASE dc=XXX,dc=net >> URI ldap://XXX.net >> >> #SIZELIMIT 12 >> #TIMELIMIT 15 >> #DEREF never >> >> ssl start_tls >> tls_cacert /usr/local/etc/openldap/ssl/cert.crt >> >> pam_login_attribute uid >> >> sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net >> bind_timelimit 1 >> timelimit 1 >> bind_policy soft >> >> nss_initgroups_ignoreusers root,slapd,krad >> >> >> # ls -l /usr/local/etc/nss_ldap.conf >> lrwxr-xr-x 1 root wheel 24 Jan 16 22:31 >> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf >> >> # nsswitch.conf >> >> >> group: cache files ldap [notfound=return] >> passwd: cache files ldap [notfound=return] >> >> these packages are installs >> >> nss_ldap-1.265_4 RFC 2307 NSS module >> openldap-client-2.4.23 Open source LDAP client implementation >> openldap-server-2.4.23 Open source LDAP server implementation >> pam_ldap-1.8.6 A pam module for authenticating with LDAP >> > > and my slapd.conf > > security ssf=128 > > TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt > TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key > TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/nis.schema > #include /usr/local/etc/openldap/schema/ldapns.schema > include /usr/local/etc/openldap/schema/samba.schema > include /usr/local/etc/openldap/schema/sudo.schema > logfile /var/log/slapd.log > loglevel stats > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > modulepath /usr/local/libexec/openldap > moduleload back_bdb > database bdb > directory /var/db/openldap-data > #index uid pres,eq > index cn,sn,uid pres,eq,sub > index objectClass eq > #index sudoUser > suffix "dc=XXX,dc=net" > rootdn "cn=krad,dc=XXX,dc=net" > rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa > access to attrs=userPassword > by self write > by anonymous auth > by dn.base="cn=krad,dc=XXX,dc=net" write > by * none > access to * > by self write > by dn.base="cn=krad,dc=XXX,dc=net" write > by * read > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
