PAM debug

Andrey Simonenko simon at
Tue Jul 26 11:33:49 GMT 2005

On Tue, 26 Jul 2005 09:19:42 +0200 in lucky.freebsd.questions, Valerio daelli wrote:
> Hello
> we are having problems with PAM authenticating users on LDAP.
> We have FreeBSD 5.3.
> We would like to switch debugging.
> If we put this line in /etc/pam.d/login
> auth            sufficient        debug try_first_pass
> nothing happens.

According to pam_ldap/nss manual page debug does not work with
pam_ldap/nss.  When I debugged my pam_ldap/nss installation I used
log file from OpenLDAP server and tcpdump.  For the first time my
connections were not TLS encrypted, so it was easy to read content
of packets.

In my environment I don't use bindpw and OpenLDAP sever does not
send passwords in any form to clients.  Instead everyone is able
to read all fields from user dn, except his/her password, when
a user tries to login pam_ldap sends password over TLS encrypted
channel to OpenLDAP server.

Does commands like "id bill" works on a system with ldap_nss?
Have you tried to use ldapsearch to query your LDAP server from
a client machine?  Create syslog-log file for LDAP server (slapd
in case of OpenLDAP) and check it.

By the way how are you going to share user home directories?
One way is to use NFS with quota on a server (on several servers).
I'm not very happy with this solution, because NFS will export
all fs to clients, if somebody break root, then he/she can
gain access to any user home directory.

There is pam_mount, with some modifications it can be build on
FreeBSD 5.x.  Has somebody tried it with Samba?  What are alternatives
for NFS + quota for systems which use pam_ldap?

ps: sorry, for possible double posting.

More information about the freebsd-questions mailing list