LDAP Authentication from console
Michel Talon
talon at lpthe.jussieu.fr
Wed Oct 6 21:34:11 UTC 2010
Kevin Mai wrote:
> Logins over ssh and sudo work great with ldap, but when I try to log in
> from console, it prompts me twice for the password.
>
> If I put a wrong password it prints out that it cannot bind to the ldap
> server, what means that I'm being able to bind to ldap, but cannot login
> for some reason.
I went through that recently so i can share what i have done:
. First don't forget to configure /usr/local/etc/nss_ldap.conf
This was not mentioned in the doc i had found on the web, i had to run
truss to discover why authentification was not working.
. Second for some strange reason the certificates in cacertir have to be
named in specific way. I have found this hint on the web, and it worked
for me:
ln -s someCA.pem `openssl x509 -in someCA.pem -noout -hash`.0
(of course i have
tls_cacertdir /usr/local/etc/openldap/certs
in the 3 ldap config files)
When ldapsearch finally worked OK, i had to play with the pam files.
The file "login" in /etc/pam.d in fact includes "system" which needs to
be tuned.
Now the following works but i don't pretend it is optimal or secure, i
am not a pam expert. But it allows me to enter the console either as a
local user or a ldap user and stops unauthenticated users. But something
is not polished enough since changing passwds is not managed, apparently
(the passwd section below). The order of the stuff is important,
choosing between sufficient and required is important, the
try_first_pass is important (it gets passwd from the previous ldap
query for ldap users), etc. it is a big mess. For sshd i used what i
have found in the web documentation, it works but seems quite
complicated.
niobe% cat system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.4.1 2010/06/14 02:09:06
# kensmith
# Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth sufficient pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so no_warn
account sufficient pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_ldap.so no_warn
password sufficient pam_unix.so no_warn try_first_pass
--
Michel TALON
More information about the freebsd-questions
mailing list