LDAP Authentication from console

Michel Talon talon at lpthe.jussieu.fr
Wed Oct 6 21:34:11 UTC 2010

Kevin Mai wrote:
> Logins over ssh and sudo work great with ldap, but when I try to log in
> from console, it prompts me twice for the password.
> If I put a wrong password it prints out that it cannot bind to the ldap
> server, what means that I'm being able to bind to ldap, but cannot login
> for some reason.

I went through that recently so i can share what i have done:

. First don't forget to configure /usr/local/etc/nss_ldap.conf
This was not mentioned in the doc i had found on the web, i had to run
truss to discover why authentification was not working.

. Second for some strange reason the certificates in cacertir have to be
named in specific way. I have found this hint on the web, and it worked
for me:
ln -s someCA.pem `openssl x509 -in someCA.pem -noout -hash`.0 
(of course i have
tls_cacertdir  /usr/local/etc/openldap/certs
in the 3 ldap config files)

When ldapsearch finally worked OK, i had to play with the pam files.
The file "login" in /etc/pam.d in fact includes "system" which needs to
be tuned.

Now the following works but i don't pretend it is optimal or secure, i
am not a pam expert. But it allows me to enter the console either as a
local user or a ldap user and stops unauthenticated users. But something
is not polished enough since changing passwds is not managed, apparently
(the passwd section below). The order of the stuff is important,
choosing between sufficient and required is important, the
try_first_pass is important (it gets passwd from the previous ldap
query for ldap users), etc. it is a big mess. For sshd i used what i
have found in the web documentation, it works but seems quite

niobe% cat system
# $FreeBSD: src/etc/pam.d/system,v 2010/06/14 02:09:06
# kensmith
# Exp $
# System-wide defaults

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn 
auth            sufficient      pam_unix.so             no_warn try_first_pass nullok 

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so      no_warn 
account         sufficient      pam_unix.so                      

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so      no_warn 
password        sufficient      pam_unix.so             no_warn try_first_pass 


Michel TALON

More information about the freebsd-questions mailing list