Alsmost have NSS/PAM/LDAP... neew a lil help ( was Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x)

Jon Adams jkadams at computer.org
Sun Nov 21 14:34:33 PST 2004 

After much banging my head against the desk, I have it kinda working...

I can su - to a user (from root) and get home directory... but... and I 
have tried PLAIN, CRYPT, and SSHA passwords...
I cannot login,  su - (when prompted for password), ssh in...

here is a some of the conf files

east# more /usr/local/etc/pam_ldap/ssh.conf
host 127.0.0.1
port 389
base dc=all,dc=net
ldap_version 3
ssl off
tls_ciphers HIGH:MEDIUM:+SSLv2:RSA
tls_checkpeer no
pam_login_attribute uid

east# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn 
try_first_pass config=/usr/local/etc/pam_ldap/ssh.conf
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
account         sufficient      /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         sufficient      /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
password        required        pam_unix.so             no_warn 
try_first_pass

east# more /usr/local/etc/ldap.conf
rootbinddb cn=Manager,dc=all,dc=net
uri ldaps://69.17.104.19:636/
binddn cn=Manager,dc=all,dc=net
ssl yes
bindpw ________
port 636
nss_base_passwd ou=People,dc=all,dc=net?one
nss_base_group  ou=Groups,dc=all,dc=net?one
pam_password SSHA

 > uname -a
FreeBSD east 5.1-RELEASE FreeBSD 5.1-RELEASE #3: Tue Nov  9 22:43:42 GMT 
2004     jka at nitro:/usr/src/sys/i386/compile/ORACLE  i386
(I put in the oracle required changes and some TCP/IP related stuff)

 > ./slapd -VV
@(#) $OpenLDAP: slapd 2.2.18 (Nov 21 2004 02:33:07) $
        
jka at east:/usr/ports/net/openldap22-sasl-server/work/openldap-2.2.18/servers/slapd

 > sshd -v
sshd version OpenSSH_3.6.1p1 FreeBSD-20030423

strings on slappasswd show the following are compiled in::

{SSHA}
{CRYPT}
{SHA}
{MD5}
{LANMAN}
{SASL}
{UNIX}
{CLEARTEXT}










Jon Adams wrote:

> I tried this one:
> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html 
>
>
> and it emphatically does not work, and I followed it to the letter.... 
> I think it has something to do with NSS only using SSL/port 636.
>
> so then I tried it with that added.... still no dice
>
>
> Help!
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the freebsd-questions mailing list