Alsmost have NSS/PAM/LDAP... neew a lil help ( was Re: Looking for
a good NSS/Pam_LDAP/Open LDAP how-to for 5.x)
Jon Adams
jkadams at computer.org
Sun Nov 21 14:34:33 PST 2004
After much banging my head against the desk, I have it kinda working...
I can su - to a user (from root) and get home directory... but... and I
have tried PLAIN, CRYPT, and SSHA passwords...
I cannot login, su - (when prompted for password), ssh in...
here is a some of the conf files
east# more /usr/local/etc/pam_ldap/ssh.conf
host 127.0.0.1
port 389
base dc=all,dc=net
ldap_version 3
ssl off
tls_ciphers HIGH:MEDIUM:+SSLv2:RSA
tls_checkpeer no
pam_login_attribute uid
east# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass config=/usr/local/etc/pam_ldap/ssh.conf
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
config=/usr/local/etc/pam_ldap/ssh.conf
password required pam_unix.so no_warn
try_first_pass
east# more /usr/local/etc/ldap.conf
rootbinddb cn=Manager,dc=all,dc=net
uri ldaps://69.17.104.19:636/
binddn cn=Manager,dc=all,dc=net
ssl yes
bindpw ________
port 636
nss_base_passwd ou=People,dc=all,dc=net?one
nss_base_group ou=Groups,dc=all,dc=net?one
pam_password SSHA
> uname -a
FreeBSD east 5.1-RELEASE FreeBSD 5.1-RELEASE #3: Tue Nov 9 22:43:42 GMT
2004 jka at nitro:/usr/src/sys/i386/compile/ORACLE i386
(I put in the oracle required changes and some TCP/IP related stuff)
> ./slapd -VV
@(#) $OpenLDAP: slapd 2.2.18 (Nov 21 2004 02:33:07) $
jka at east:/usr/ports/net/openldap22-sasl-server/work/openldap-2.2.18/servers/slapd
> sshd -v
sshd version OpenSSH_3.6.1p1 FreeBSD-20030423
strings on slappasswd show the following are compiled in::
{SSHA}
{CRYPT}
{SHA}
{MD5}
{LANMAN}
{SASL}
{UNIX}
{CLEARTEXT}
Jon Adams wrote:
> I tried this one:
> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
>
>
> and it emphatically does not work, and I followed it to the letter....
> I think it has something to do with NSS only using SSL/port 636.
>
> so then I tried it with that added.... still no dice
>
>
> Help!
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the freebsd-questions
mailing list