On 28 February 2011 01:06, Tim Dunphy <bluethu...@gmail.com> wrote: > Hello Krad and thank you for your reply! > > > Well it seems that I am still unable to login to this machine using an > LDAP account. I have tried applying the configurations you have > provided and the result doesn't seem to have changed just yet. > > Here is my /usr/local/etc/ldap.conf file > > > uri ldap://LBSD2.summitnjhome.com > base dc=summitnjhome,dc=com > sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com > binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > bindpw secret > scope sub > ssl start tls > tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt > pam_login_attribute uid > bind_timelimit 1 > timelimit 1 > bind_policy soft > pam_password exop > nss_base_passwd dc=summitnjhome,dc=com > nss_base_shadow dc=summitnjhome,dc=com > nss_base_group dc=summitnjhome,dc=com > nss_base_sudo dc=summitnjhome,dc=com > nss_initgroups_ignoreusers root,slapd > > > > #ls -l /usr/local/etc/nss_ldap.conf > lrwxr-xr-x 1 root wheel 24 Feb 28 00:10 > /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf > > > #cat /usr/local/etc/nsswitch.conf > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 > kensmith Exp $ > # > passwd: cache files ldap [notfound=return] > passwd_compat: files ldap > group: cache files ldap [notfound = return] > group_compat: nis > sudoers: ldap > hosts: files dns > networks: files > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > Here is my slapd.conf file: > > > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/openldap.schema > include /usr/local/etc/openldap/schema/sudo.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/misc.schema > include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > loglevel 296 > pidfile /var/run/openldap/slapd.pid > argsfile /var/run/openldap/slapd.args > > ## TLS options for slapd > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt > TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.key > TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt > > # Load dynamic backend modules: > modulepath /usr/local/libexec/openldap > moduleload back_bdb > # moduleload back_hdb > # moduleload back_ldap > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > # access to dn.base="" by * read > access to * > by read > > access to attrs=userPassword by self write > by anonymous auth > > access to * by self write > by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" > write > by users read > by anonymous auth > > access to * by self write > by users read > by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > ####################################################################### > # BDB database definitions > ####################################################################### > > database bdb > suffix "dc=summitnjhome,dc=com" > rootdn "cn=Manager,dc=summitnjhome,dc=com" > rootpw {SSHA}secret > > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/db/summitnjhome.com > # Indices to maintain > index objectClass,uid,uidNumber eq > index sudoUser eq > > > these are the packages I have installed > > > nss_ldap-1.265_4 RFC 2307 NSS module > openldap-sasl-client-2.4.23 Open source LDAP client implementation > with SASL2 support > openldap-sasl-server-2.4.23 Open source LDAP server implementation > pam_ldap-1.8.5 A pam module for authenticating with LDAP > > > And this is what happens in the ldap logs after making those changes: > > > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH > base="dc=summitnjhome,dc=com" scope=2 deref=0 > filter="(&(objectClass=posixAccount)(uidNumber=1001))" > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH attr=uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: AND > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: OR > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: AND > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 > first=106 last=137 > Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 > first=106 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=106 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 > last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=0 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 > last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 > first=1 last=0 > Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SEARCH RESULT > tag=101 err=0 nentries=0 text= > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on: > Feb 26 19:58:43 LBSD2 slapd[54891]: 425r > Feb 26 19:58:43 LBSD2 slapd[54891]: > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425 > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: AND > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7 > active_threads=0 tvp=NULL > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter > Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list > Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0 > > This is what's going on in the secure logs: > > Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for > user root by bluethundr(uid=10001) > > And this is my /etc/pam.d/sshd file: > > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06 > kensmith Exp $ > # > # PAM configuration for the "sshd" service > # > > # auth > auth sufficient pam_opie.so no_warn > no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth required pam_ldap.so > #auth required pam_unix.so no_warn try_first_pass > > # account > account required pam_nologin.so > #account required pam_krb5.so > account required pam_login_access.so > account required pam_ldap.so > #account required pam_unix.so > > # session > #session optional pam_ssh.so > session sufficient pam_ldap.so > session required pam_permit.so > > # password > #password sufficient pam_krb5.so no_warn try_first_pass > password required pam_ldap.so > #password required pam_unix.so no_warn try_first_pass > > > I really appreciate your input Krad and I appreciate any advice anyone may > have > > thanks > tim > > > On Sun, Feb 27, 2011 at 6:10 AM, krad <kra...@gmail.com> wrote: >> On 27 February 2011 11:05, krad <kra...@gmail.com> wrote: >>> On 26 February 2011 20:01, Tim Dunphy <bluethu...@gmail.com> wrote: >>>> Hey list, >>>> >>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and >>>> nsswitch file because I thought they might be helpful in dispensing >>>> advice as to what is going on: >>>> >>>> uri ldap://LBSD2.summitnjhome.com >>>> base ou=staff,ou=Group,dc=summitnjhome,dc=com >>>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com >>>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com >>>> bindpw secret >>>> scope sub >>>> pam_password exop >>>> nss_base_passwd dc=summitnjhome,dc=com >>>> nss_base_shadow dc=summitnjhome,dc=com >>>> nss_base_group dc=summitnjhome,dc=com >>>> nss_base_sudo dc=summitnjhome,dc=com >>>> >>>> >>>> # nsswitch.conf(5) - name service switch configuration file >>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 >>>> kensmith Exp $ >>>> # >>>> passwd: files ldap >>>> passwd_compat: files ldap >>>> group: files ldap >>>> group_compat: nis >>>> sudoers: ldap >>>> hosts: files dns >>>> networks: files >>>> shells: files >>>> services: compat >>>> services_compat: nis >>>> protocols: files >>>> rpc: files >>>> >>>> >>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethu...@gmail.com> wrote: >>>>> Hello List!! >>>>> >>>>> I have an OpenLDAP 2.4 server functioning very nicely that >>>>> authenticates a network of (mostly virtual) centos 5.5 machines. >>>>> >>>>> But at the moment I am attempting to setup pam authentication for ssh >>>>> via LDAP and having some difficulty. >>>>> >>>>> My /etc/pam.d/sshd file seems to be setup logically and correctly: >>>>> >>>>> # PAM configuration for the "sshd" service >>>>> # >>>>> >>>>> # auth >>>>> auth sufficient pam_opie.so no_warn >>>>> no_fake_prompts >>>>> auth requisite pam_opieaccess.so no_warn >>>>> allow_local >>>>> #auth sufficient pam_krb5.so no_warn >>>>> try_first_pass >>>>> #auth sufficient pam_ssh.so no_warn >>>>> try_first_pass >>>>> auth required pam_ldap.so >>>>> #auth required pam_unix.so no_warn >>>>> try_first_pass >>>>> >>>>> # account >>>>> account required pam_nologin.so >>>>> #account required pam_krb5.so >>>>> account required pam_login_access.so >>>>> account required pam_ldap.so >>>>> #account required pam_unix.so >>>>> >>>>> # session >>>>> #session optional pam_ssh.so >>>>> session sufficient pam_ldap.so >>>>> session required pam_permit.so >>>>> >>>>> # password >>>>> #password sufficient pam_krb5.so no_warn >>>>> try_first_pass >>>>> password required pam_ldap.so >>>>> #password required pam_unix.so no_warn >>>>> try_first_pass >>>>> >>>>> >>>>> And if I'm reading the logs correctly LDAP is searching for and >>>>> finding the account information when I am making the login attempt: >>>>> >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH >>>>> base="dc=summitnjhome,dc=com" scope=2 deref=0 >>>>> filter="(&(objectClass=posixAccount)(uidNumber=1001 >>>>> ))" >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid >>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >>>>> description objectCla >>>>> ss >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>>> first=0 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26 >>>>> first=106 last=137 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>>> first=0 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 >>>>> first=106 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>>> first=106 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 >>>>> last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>>> first=0 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 >>>>> last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0 >>>>> first=1 last=0 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT >>>>> tag=101 err=0 nentries=0 text= >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on: >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input >>>>> error=-2 id=34715, closing. >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying >>>>> conn=34715 sd=212 for close >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7 >>>>> active_threads=0 tvp=NULL >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212 >>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection >>>>> lost) >>>>> >>>>> >>>>> But logins fail every time. Could someone offer an opinion as to what >>>>> may be going on to prevent logging in via pam/sshd and LDAP? >>>>> >>>>> Thanks in advance! >>>>> Tim >>>>> >>>>> -- >>>>> GPG me!! >>>>> >>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>>> >>>> >>>> >>>> >>>> -- >>>> GPG me!! >>>> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to >>>> "freebsd-questions-unsubscr...@freebsd.org" >>>> >>> >>> >>> >>> these are my files and are from a working setup >>> >>> # cat /usr/local/etc/ldap.conf >>> # >>> # LDAP Defaults >>> # >>> >>> # See ldap.conf(5) for details >>> # This file should be world readable but not world writable. >>> >>> BASE dc=XXX,dc=net >>> URI ldap://XXX.net >>> >>> #SIZELIMIT 12 >>> #TIMELIMIT 15 >>> #DEREF never >>> >>> ssl start_tls >>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt >>> >>> pam_login_attribute uid >>> >>> sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net >>> bind_timelimit 1 >>> timelimit 1 >>> bind_policy soft >>> >>> nss_initgroups_ignoreusers root,slapd,krad >>> >>> >>> # ls -l /usr/local/etc/nss_ldap.conf >>> lrwxr-xr-x 1 root wheel 24 Jan 16 22:31 >>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf >>> >>> # nsswitch.conf >>> >>> >>> group: cache files ldap [notfound=return] >>> passwd: cache files ldap [notfound=return] >>> >>> these packages are installs >>> >>> nss_ldap-1.265_4 RFC 2307 NSS module >>> openldap-client-2.4.23 Open source LDAP client implementation >>> openldap-server-2.4.23 Open source LDAP server implementation >>> pam_ldap-1.8.6 A pam module for authenticating with LDAP >>> >> >> and my slapd.conf >> >> security ssf=128 >> >> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt >> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key >> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt >> include /usr/local/etc/openldap/schema/core.schema >> include /usr/local/etc/openldap/schema/cosine.schema >> include /usr/local/etc/openldap/schema/inetorgperson.schema >> include /usr/local/etc/openldap/schema/nis.schema >> #include /usr/local/etc/openldap/schema/ldapns.schema >> include /usr/local/etc/openldap/schema/samba.schema >> include /usr/local/etc/openldap/schema/sudo.schema >> logfile /var/log/slapd.log >> loglevel stats >> pidfile /var/run/openldap/slapd.pid >> argsfile /var/run/openldap/slapd.args >> modulepath /usr/local/libexec/openldap >> moduleload back_bdb >> database bdb >> directory /var/db/openldap-data >> #index uid pres,eq >> index cn,sn,uid pres,eq,sub >> index objectClass eq >> #index sudoUser >> suffix "dc=XXX,dc=net" >> rootdn "cn=krad,dc=XXX,dc=net" >> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa >> access to attrs=userPassword >> by self write >> by anonymous auth >> by dn.base="cn=krad,dc=XXX,dc=net" write >> by * none >> access to * >> by self write >> by dn.base="cn=krad,dc=XXX,dc=net" write >> by * read >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >
haha sorry i completely forgot about the pam files, here is mine. You definitely need to be explicit with the path of the ldap module [root@carrera /home/krad]# cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1 2009/08/03 08:13:06 kensmith Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so session required /usr/local/lib/pam_mkhomedir.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
