pam ssh authentication via ldap
Tim Dunphy
bluethundr at gmail.com
Sat Feb 26 20:01:24 UTC 2011
Hey list,
I just wanted to follow up with my /usr/local/etc/ldap.conf file and
nsswitch file because I thought they might be helpful in dispensing
advice as to what is going on:
uri ldap://LBSD2.summitnjhome.com
base ou=staff,ou=Group,dc=summitnjhome,dc=com
sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret
scope sub
pam_password exop
nss_base_passwd dc=summitnjhome,dc=com
nss_base_shadow dc=summitnjhome,dc=com
nss_base_group dc=summitnjhome,dc=com
nss_base_sudo dc=summitnjhome,dc=com
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
passwd: files ldap
passwd_compat: files ldap
group: files ldap
group_compat: nis
sudoers: ldap
hosts: files dns
networks: files
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
> Hello List!!
>
> I have an OpenLDAP 2.4 server functioning very nicely that
> authenticates a network of (mostly virtual) centos 5.5 machines.
>
> But at the moment I am attempting to setup pam authentication for ssh
> via LDAP and having some difficulty.
>
> My /etc/pam.d/sshd file seems to be setup logically and correctly:
>
> # PAM configuration for the "sshd" service
> #
>
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth required pam_ldap.so
> #auth required pam_unix.so no_warn try_first_pass
>
> # account
> account required pam_nologin.so
> #account required pam_krb5.so
> account required pam_login_access.so
> account required pam_ldap.so
> #account required pam_unix.so
>
> # session
> #session optional pam_ssh.so
> session sufficient pam_ldap.so
> session required pam_permit.so
>
> # password
> #password sufficient pam_krb5.so no_warn try_first_pass
> password required pam_ldap.so
> #password required pam_unix.so no_warn try_first_pass
>
>
> And if I'm reading the logs correctly LDAP is searching for and
> finding the account information when I am making the login attempt:
>
> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
> base="dc=summitnjhome,dc=com" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uidNumber=1001
> ))"
> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectCla
> ss
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: OR
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
> first=106 last=137
> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
> first=106 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=106 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=1 last=0
> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
> Feb 26 19:52:54 LBSD2 slapd[54891]:
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
> error=-2 id=34715, closing.
> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
> conn=34715 sd=212 for close
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)
>
>
> But logins fail every time. Could someone offer an opinion as to what
> may be going on to prevent logging in via pam/sshd and LDAP?
>
> Thanks in advance!
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
More information about the freebsd-questions
mailing list