kde/kdm + nsswitch + ldap = nologon
Joe Kraft
jvk-list at thekrafts.org
Sun Mar 8 14:28:38 PDT 2009
>
> I'd like to duplicate your setup none-the-less to learn. Can you provide
> all the pam files, showconfig for the openldap and kdm-related port so I
> can run with the same port?
>
> gdm offers pam integration by the description. I'd be looking at options
> in pam, and making sure the console logins work off pam too to make the
> comparison to apples to apples the same.
>
> Please give me the showconfig from the items above.
Was going to send as an e-mail to keep the gigantic post off the list, but
my mailer went stupid this morning...
OK...we'll start with the server. Note that while I'm using the SASL
portion of the port, I'm not using any of the SASL type functionality yet.
Just incase you missed the part from the original post... I ran into a bug
report from last summer that appears to still be open with exactly the same
issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321). I get the same
error messages and such, with any luck it's based on misconfiguration of
something.
I hope all of this helps.
Joe.
============================
>From the ldap server:
shadow# uname -a
FreeBSD shadow.casa.local 6.3-STABLE FreeBSD 6.3-STABLE #1: Sat Apr 5
14:49:53 EDT 2008 joe at shadow.casa.local:/usr/obj/usr/src/sys/GENERIC i386
shadow# pkg_info |grep ldap
nss_ldap-1.257 RFC 2307 NSS module
openldap-sasl-client-2.4.11 Open source LDAP client implementation with
SASL2 support
openldap-sasl-server-2.4.11_2 Open source LDAP server implementation
pam_ldap-1.8.4 A pam module for authenticating with LDAP
shadow# cd /usr/ports/net/openldap24-server
shadow# make showconfig
===> The following configuration options are available for
openldap-sasl-server-2.4.11_2:
SASL=on "With (Cyrus) SASL2 support"
DNSSRV=off "With Dnssrv backend"
PASSWD=off "With Passwd backend"
PERL=off "With Perl backend"
RELAY=off "With Relay backend"
SHELL=off "With Shell backend (disables threading)"
SOCK=off "With Sock backend"
ODBC=off "With SQL backend"
RLOOKUPS=off "With reverse lookups of client hostnames"
SLP=off "With SLPv2 (RFC 2608) support"
SLAPI=off "With Netscape SLAPI plugin API"
TCP_WRAPPERS=on "With tcp wrapper support"
BDB=on "With BerkeleyDB support"
ACCESSLOG=off "With In-Directory Access Logging overlay"
AUDITLOG=off "With Audit Logging overlay"
CONSTRAINT=off "With Attribute Constraint overlay"
DDS=off "Dynamic Directory Services overlay"
DENYOP=off "With Deny Operation overlay"
DYNGROUP=off "With Dynamic Group overlay"
DYNLIST=off "With Dynamic List overlay"
LASTMOD=off "With Last Modification overlay"
MEMBEROF=off "With Reverse Group Membership overlay"
PPOLICY=off "With Password Policy overlay"
PROXYCACHE=off "With Proxy Cache overlay"
REFINT=off "With Referential Integrity overlay"
RETCODE=off "With Return Code testing overlay"
RWM=off "With Rewrite/Remap overlay"
SEQMOD=on "Sequential Modify overlay"
SYNCPROV=on "With Syncrepl Provider overlay"
TRANSLUCENT=off "With Translucent Proxy overlay"
UNIQUE=off "With attribute Uniqueness overlay"
VALSORT=off "With Value Sorting overlay"
SMBPWD=off "With Samba Password hashes overlay"
DYNAMIC_BACKENDS=on "Build dynamic backends"
===> Use 'make config' to modify these settings
shadow# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
#######################################################################
#######################################################################
## BDB database definitions
#######################################################################
#######################################################################
########## main part ##########################
database bdb
directory /var/db/openldap-data
suffix dc=casa,dc=local
rootdn cn=Manager,dc=casa,dc=local
rootpw {crypt}PasswordGoesHere
######## access control #####################
access to * by * write
# users can authenticate and change their password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange,shadowMax
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=casa,dc=local" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by * read
# somme attributes can be writable by users themselves
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by self write by * read
# some attributes need to be writable for samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by self read by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=casa,dc=local"
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by * none
# samba need to be able to create new users account
access to dn="ou=accounts,ou=people,dc=casa,dc=local"
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by * none
# samba need to be able to create new groups account
access to dn="ou=group,dc=casa,dc=local"
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by * none
# samba need to be able to create new computers account
access to dn="ou=machine,dc=casa,dc=local"
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
by * none
access to dn="ou=Idmap,dc=casa,dc=local"
by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
by * none
access to * by * read
######## indices ############################
# Indices to maintain
index objectClass eq
#index cn eq,sub
#index sn eq,sub
index mail eq,sub
#index uid eq
## More indices for samba
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
## End Samba indicies
shadow# cat /etc/nsswitch.conf
group: files ldap winbind
hosts: files dns wins
networks: files
passwd: files ldap winbind
shells: files
shadow# cat nss_ldap.conf
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library.
#
# PADL Software
# http://www.padl.com
#
host 127.0.0.1
base dc=casa,dc=local
binddn cn=nssldap,ou=DSA,dc=casa,dc=local
bindpw nssldappwd
rootbinddn cn=Manager,dc=casa,dc=local
scope sub
#timelimit 30
#bind_timelimit 30
#bind_policy hard -----default, check to see if soft works better
bind_policy soft
#nss_connect_policy persist
#idle_timelimit 3600
#nss_schema rfc2307bis
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
nss_base_passwd ou=accounts,ou=people,dc=casa,dc=local?one
nss_base_passwd ou=machine,dc=casa,dc=local?one
nss_base_shadow ou=accounts,ou=people,dc=casa,dc=local?one
nss_base_group ou=group,dc=casa,dc=local?one
#nss_base_hosts ou=Hosts,dc=casa,dc=local?one
#nss_base_services ou=Services,dc=casa,dc=local?one
#nss_base_networks ou=Networks,dc=casa,dc=local?one
#nss_base_protocols ou=Protocols,dc=casa,dc=local?one
#nss_base_rpc ou=Rpc,dc=casa,dc=local?one
#nss_base_ethers ou=Ethers,dc=casa,dc=local?one
#nss_base_netmasks ou=Networks,dc=casa,dc=local?ne
#nss_base_bootparams ou=Ethers,dc=casa,dc=local?one
#nss_base_aliases ou=Aliases,dc=casa,dc=local?one
#nss_base_netgroup ou=Netgroup,dc=casa,dc=local?one
shadow# cat ldap.conf
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP PAM module.
#
host 127.0.0.1
base dc=casa,dc=local
binddn cn=nssldap,ou=DSA,dc=casa,dc=local
bindpw nssldappwd
rootbinddn cn=Manager,dc=casa,dc=local
scope sub
timelimit 30
##################################
##### pam_ldap unique config #####
##################################
#pam_filter objectclass=posixAccount
pam_login_attribute uid
#pam_check_host_attr yes
#pam_member_attribute uniquemember
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
shadow# cd /etc/pam.d
shadow# ls
README ftp ftpd gdm imap kde login other passwd pop3
rsh sshd su system telnetd xdm
shadow# cat login
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_self.so no_warn
auth include system
# account
account requisite pam_securetty.so
account include system
# session
session include system
# password
password include system
shadow# cat system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so try_first_pass
ignore_authinfo_unavail
auth required pam_unix.so try_first_pass
nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so no_warn
use_first_pass ignore_authinfo_unavail
password required pam_unix.so no_warn
try_first_pass
shadow# cat other
#
# $FreeBSD: src/etc/pam.d/other,v 1.10 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "other" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
use_first_pass ignore_authinfo_unavail
auth required pam_unix.so no_warn
try_first_pass
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
password required pam_permit.so
================================
On the client I have:
[root at slug etc]# uname -a
FreeBSD slug.casa.local 7.1-STABLE FreeBSD 7.1-STABLE #4: Sun Feb 15
22:47:46 EST 2009 root at slug.home.local:/usr/obj/usr/src/sys/SLUG i386
[root at slug openldap24-server]# pkg_info |grep ldap
nss_ldap-1.264_1 RFC 2307 NSS module
openldap-sasl-client-2.4.13 Open source LDAP client implementation with
SASL2 support
pam_ldap-1.8.4 A pam module for authenticating with LDAP
root at slug etc]# cat nss_ldap.conf
# @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library.
#
# PADL Software
# http://www.padl.com
#
host 10.0.1.100
base dc=casa,dc=local
binddn cn=nssldap,ou=DSA,dc=casa,dc=local
bindpw nssldappwd
rootbinddn cn=Manager,dc=casa,dc=local
scope sub
#timelimit 30
#bind_timelimit 30
#bind_policy hard -----default, check to see if soft works better
bind_policy soft
#nss_connect_policy persist
#idle_timelimit 3600
#nss_schema rfc2307bis
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
nss_base_passwd ou=accounts,ou=people,dc=casa,dc=local?one
nss_base_passwd ou=machine,dc=casa,dc=local?one
nss_base_shadow ou=accounts,ou=people,dc=casa,dc=local?one
nss_base_group ou=group,dc=casa,dc=local?one
#nss_base_hosts ou=Hosts,dc=casa,dc=local?one
#nss_base_services ou=Services,dc=casa,dc=local?one
#nss_base_networks ou=Networks,dc=casa,dc=local?one
#nss_base_protocols ou=Protocols,dc=casa,dc=local?one
#nss_base_rpc ou=Rpc,dc=casa,dc=local?one
#nss_base_ethers ou=Ethers,dc=casa,dc=local?one
#nss_base_netmasks ou=Networks,dc=casa,dc=local?ne
#nss_base_bootparams ou=Ethers,dc=casa,dc=local?one
#nss_base_aliases ou=Aliases,dc=casa,dc=local?one
#nss_base_netgroup ou=Netgroup,dc=casa,dc=local?one
[root at slug etc]# cat ldap.conf
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP PAM module.
#
host 10.0.1.100
base dc=casa,dc=local
binddn cn=nssldap,ou=DSA,dc=casa,dc=local
bindpw nssldappwd
rootbinddn cn=Manager,dc=casa,dc=local
scope sub
timelimit 30
#bind_timelimit 30
#bind_policy hard
#idle_timelimit 3600
##################################
##### pam_ldap unique config #####
##################################
#pam_filter objectclass=posixAccount
pam_login_attribute uid
#pam_check_host_attr yes
#pam_member_attribute uniquemember
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
[root at slug etc]# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
#
#group: files ldap
group: files ldap winbind
hosts: files dns wins
networks: files
#passwd: files
passwd: files ldap winbind
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
[root at slug etc]# cat /etc/pam.d/login
#
# $FreeBSD: src/etc/pam.d/login,v 1.17 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_self.so no_warn
#auth sufficient pam_winbind.so no_warn
auth include system
# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
# session
session include system
# password
password include system
[root at slug etc]# cat /etc/pam.d/system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
auth required pam_unix.so no_warn
try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
#password sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
password required pam_unix.so no_warn
try_first_pass
[root at slug etc]# cat /etc/pam.d/kde
#
# $FreeBSD: src/etc/pam.d/kde,v 1.7 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "kde" service
#
# auth
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
#auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
#account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
[root at slug etc]# cat /etc/pam.d/other
#
# $FreeBSD: src/etc/pam.d/other,v 1.11 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "other" service
#
# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
password required pam_permit.so
root at slug etc]# pkg_info -W kdm
/usr/local/bin/kdm was installed by package kdebase-3.5.10_1
[root at slug etc]# pkg_info -qo kdebase-3.5.10_1
x11/kdebase3
[root at slug etc]# cd /usr/ports/x11/kdebase3
[root at slug kdebase3]# make showconfig
===> The following configuration options are available for kdebase-3.5.10_2:
ARTSWRAPPER=on "Suid wrapper for aRts, req'd for realtime prio"
HAL=on "Use HAL backend for media:/"
HTDIG=off "Depend on htdig, used to build manual indices"
===> Use 'make config' to modify these settings
More information about the freebsd-questions
mailing list