baffled by pam_ldap

[Lewis Thompson]

On Thu, May 12, 2005 at 05:11:03PM -0500, Benjamin J Doherty wrote:
> I've been struggling with pam_ldap for three days now and cannot see  
> what I am doing wrong.  I'm trying to use OpenLDAP for  
> authentication, though I threw nss_ldap in for good measure.  What's  
> so baffling to me is that I can add a new user to the directory and  
> verify its existence using "id" but SSH refuses to bind.

I couldn't spot any references to pam.d/sshd anywhere else in your post.  To
allow sshd to authenticate via pam_ldap you need to have the lines:

auth            sufficient      pam_ldap.so             no_warn try_first_pass
account         sufficient      pam_ldap.so
password        sufficient      pam_ldap.so             no_warn try_first_pass

I think just the auth line will do but the rest seem helpful too.

To go a little further than that, I have my pam.d/passwd file configured:

password        sufficient      pam_unix.so             no_warn try_first_pass nullok
password        sufficient      pam_ldap.so             no_warn use_first_pass

pam.d/system:

auth            sufficient      pam_ldap.so             no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok
password        sufficient      pam_ldap.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pas

You can apply the following patch to /usr/src/usr.bin/passwd/passwd.c to allow
passwd to be used to change passwords via pam_ldap (it also works for pam_unix)
(see http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/71290):

***BEGIN
--- passwd.c.orig       Wed Mar  9 03:20:02 2005
+++ passwd.c    Wed Mar  9 03:20:29 2005
@@ -120,9 +120,8 @@
                    pwd->pw_name);
                break;
        default:
-               /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Changing LDAP password for %s\n",
+                   pwd->pw_name);
        }

 #define pam_check(func) do { \
***END

To use passwd you will also need to configure your /usr/local/etc/ldap.conf
file by setting:

pam_password exop

and at the server-side set:

password-hash to whatever you want (SMD5 is good!)

in /usr/local/etc/openldap/slapd.conf.

It took me a good deal of time and effort to bring all those things together
and I have them sat in a non-publicly available wiki.  You can find a very good
tutorial which should cover most of this (I think) at
http://books.blurgle.ca/read/book/1 -- unlike other tutorials this one is
dedicated to FreeBSD (and I even got my name in the credits ;).

chsh doesn't work so I came up with this very simple shell script (it's
probably not great and no doubt could be greatly improved):

*** BEGIN
#!/bin/sh

# is shell specified?
if test ! $1; then
        echo "Usage: $0 newshell"
        exit 1
fi

# is shell listed in /etc/shells?
grep -w "$1" /etc/shells > /dev/null
if test $? -ne 0; then
        echo "That shell is not listed in /etc/shells."
        exit 1
fi

# attempt modify
user=`whoami`
ldapmodify -D "uid=$user,ou=People,dc=domain,dc=com" -x -W >&- <<EOT
dn: uid=$user,ou=People,dc=domain,dc=com
changetype: modify
replace: loginShell
loginShell: $1
EOT
if test $? -eq 0; then
        echo "Shell changed successfully."
else
        echo "A problem occurred changing your shell.  Please contact admin at domain.com for assistance."
fi
*** END

To use that just place it over /usr/bin/chsh (WARNING!  THIS COULD BE BAD!  :)

I hope that's some help.  Good luck!

-Lewis Thompson.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
-| msn:lewiz at fajita.org | jabber:lewiz at jabber.org | url:www.lewiz.org |-