Trouble with nss|pam|openldap

Atom Powers atom.powers at gmail.com
Tue May 23 17:48:50 PDT 2006 

On 5/23/06, Jason Lixfeld <jason+lists.freebsd-questions at lixfeld.ca> wrote:
> I'm using openssh-portable and the latest versions of openldap,
> pam_ldap and nss_ldap.  It appears as though the system is using
...

I'm not using ssh-portable, but I have it working with the built-in ssh.

...
> user password, even after I enter it in.  I tried putting the
> pam_ldap lib in the password section of the /etc/pam.d/sshd file, but
> that was useless too.  Local users can ssh in fine.

The pam.d config would be my first guess. What gets logged to all.log?

>
> I searched through the bugs and it seems there is a bug in nss_ldap
> with regards to getpwuid, but that seems to be more if an indicator
> about why finger doesn't work, not why ssh does't work
>
> # id testuser seems to work, finger doesn't.  Curious.  Anyway, it
> still appears as though at least some portions of the system are
> using LDAP, which is good.
> $ id testuser
> uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
> $ finger testuser
> finger: testuser: no such user
> $

id works because it's using the name service to look up the user (you
added ldap to your nsswitch.conf, right?)

finger doesn't work because you don't have a /etc/pam.d/finger file.
Either create one or add pam_ldap to your /etc/pam.d/system file. (I
always create a new conf file for my ldap enabled apps)

Here is my /etc/pam.d/sshd file, I use the exact same file for all my
ldap enabled apps.:
(if somebody sees a bug in there, or can suggest any improvement, by
all means let me know.)
--

# auth
auth            sufficient      /usr/local/lib/pam_ldap.so
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         sufficient      /usr/local/lib/pam_ldap.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

-- 
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--

More information about the freebsd-questions mailing list