Dick Davies rasputnik at
Fri Oct 1 07:41:33 PDT 2004

* Bret Walker <bret-walker at> [1023 15:23]:
> I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf

The one in /etc isn't doing anything, so get rid of it.

The  /usr/local/etc/ldap.conf should be holding the ad stuff 
(what user to bind as , etc).

> I am able to log into the console as these users using the local password,
> but not using the ldap password.  All of my pam info is in /etc/pam.conf,
> I don't have /etc/pam.d.

Then you're on 4.X right? Shouldn't stop this working.

> sshd	auth	sufficient
> sshd	auth	sufficient		no_fake_prompts
> sshd	auth	sufficient		try_first_pass
> sshd	auth	sufficient	/usr/local/lib/
> try_first_pass debug
> sshd	account	required
> sshd	password	required
> sshd	session	required
> All I see in the logs are messages saying:
> "error: PAM: User not known to the underlying authentication module"

Right, so sshd is using pam. That's something.

The error could mean several things, one of which is that the user doesn't exist.

If you look through your ldap.conf, you  should have enough info to pretend to be

use ldapsearch and try 

ldapsearch -H "ldap://<host from ldap.conf> -D "<binddn from ldap.conf>" -W \
  <pam_login_attribute from ldap.conf>=username

and enter the bindpw from ldap.conf

If you don't get the AD account  back, then your ldap.conf is screwed.

> I'm pretty sure the ldap.conf files are correct, because I've followed the
> instructions from several places to the T.

"The nice thing about definitive LDAP howtos is there are so many to choose from" :) 

You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender
Rasputin :: Jack of All Trades - Master of Nuns

More information about the freebsd-questions mailing list