Issues while authenticating a user over openLDAP using PAM_ldap

Noah admin2 at enabled.com
Thu Aug 9 12:24:40 PDT 2007 

running FreeBSD 6.2 Stable

we have openLDAP installed on a server called access1.  Users on access1
appear to not be able to ssh to access1.  The ssh authentication method
uses PAM ldap.  PAM_ldap reports "Invalid credentials" in /var/log/messages

We have another server called access2 that authenticates to the the ldap
server running on access1.  those users log in via ssh without issue on
access2.

I am trying to track down what is broken.  I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
much appreciated.




Aug  9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as
user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid credentials)

related rc.conf lines on access1:
slapd_enable="YES"
slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/" -f
/usr/local/etc/openldap/slapd.conf'
slapd_sockets="/var/run/openldap/ldapi"
sshd_enable="YES"
sshd_program="/usr/local/sbin/sshd"


access1# cat /etc/pam.d/ldap
# debug
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug
# debug
# PAM configuration for the "sshd" service debug
# debug

# auth debug

auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
try_first_pass debug
auth            required        pam_nologin.so          no_warn debug
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts debug
auth            requisite       pam_opieaccess.so       no_warn
allow_local debug
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass debug
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass debug
auth            required        pam_unix.so             no_warn
try_first_pass debug

# account debug
#account        required        pam_krb5.so debug
account         required        pam_login_access.so debug
account         required        pam_unix.so debug

# session debug
#session        optional        pam_ssh.so debug
session         required        /usr/local/lib/pam_mkhomedir.so
#session         required        /usr/local/lib/pam_mkhomedir.so
skel=/etc/skel/ umask=0077 debug
session         required        pam_permit.so debug

# password debug
#password       sufficient      pam_krb5.so             no_warn
try_first_pass debug
password        required        pam_unix.so             no_warn
try_first_pass debug


access1
[noah at access1 ~]$ pkg_info | grep pam
checkpassword-pam-0.99 Implementation of checkpassword authentication
program
nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd
p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for
identifying spam
pam_ldap-1.8.2      A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2     A command line pam authentication tester
razor-agents-2.84   A distributed, collaborative, spam detection and
filtering
[noah at access1 ~]$ pkg_info | grep ldap
ldapsh-2.00_2,1     Interactive shell used to administer ldap directories
nss_ldap-1.255      RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
p5-perl-ldap-0.34   A Client interface to LDAP servers
pam_ldap-1.8.2      A pam module for authenticating with LDAP
php5-ldap-5.2.3_1   The ldap shared extension for php
[noah at access1 ~]$ pkg_info | grep nss
nss-3.11.7          Libraries to support development of security-enabled
applic
nss_ldap-1.255      RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
openssl-0.9.8e_1    SSL and crypto library
php5-openssl-5.2.3_1 The openssl shared extension for php
py25-openssl-0.6    Python interface to the OpenSSL library
[noah at access1 ~]$


access2 files
[noah at access2 ~]$ pkg_info | grep pam
pam_ldap-1.8.2      A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2     A command line pam authentication tester
[noah at access2 ~]$ pkg_info | grep ldap
nss_ldap-1.255      RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
pam_ldap-1.8.2      A pam module for authenticating with LDAP
[noah at access2 ~]$ pkg_info | grep nss
nss_ldap-1.255      RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
[noah at access2 ~]$

More information about the freebsd-questions mailing list