LDAP Authentication from console

Indexer indexer at internode.on.net
Wed Oct 6 23:41:13 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 07/10/2010, at 10:05 AM, Michel Talon wrote:

> 
> Kevin Mai wrote:
>> Logins over ssh and sudo work great with ldap, but when I try to log in
>> from console, it prompts me twice for the password.
>> 
>> If I put a wrong password it prints out that it cannot bind to the ldap
>> server, what means that I'm being able to bind to ldap, but cannot login
>> for some reason.
> 
> 

Can you send a copy of your /etc/pam.d/sshd and /etc/pam.d/system ? What i think you have done is this

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_krb5.so             no_warn try_first_pass 
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth            required        pam_unix.so             no_warn use_first_pass

Notice the try_first_pass options on krb5 and ldap? This will prompt for the krb5 password then prompt again for the ldap password, and then fall back to unix. It looks like this when you enter the wrong password

Password:
LDAP Password:

Password
LDAP Password:  

etc ....

In your case, you likely have something else, and not krb5, but editing your file to appear like this will be of great help

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth            required        pam_unix.so             no_warn use_first_pass

You need to set ldap to try_first_pass, and unix to use_first_pass. This will stop the "double prompting"

Also of note, is that /etc/pam.d/login is an include of system. Thus likely you have your system file setup wrong. Mine is a carbon copy of my sshd file. Here it is here

auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth            required        pam_unix.so             no_warn use_first_pass
#auth           required        pam_deny.so             use_first_pass

account         required        pam_nologin.so
#account         required        pam_krb5.so
account         required        pam_login_access.so
account         optional        pam_unix.so
account         required        /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so
#account         optional        pam_krb5.so
#session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

password        sufficient      pam_unix.so             no_warn use_first_pass

A few other hints

Make sure your certificates have the correct CN, that matches your hosts FQDN. You can specifiy them with the option tls_cacertfile and these DO NOT need converting into any weird formats, just the standard output from openssl will work. 

@Michael

If you plan to use LDAP groups to control access to be able to login to a server, you need to change your ldap account line, as at this time it will allow anyone through into the system. Regardless, what i have also means that ldap is not checked for non ldap users. 

Changing ldap passwords IS NOT POSSIBLE from the passwd binary. I cannot remember why but it is not. You must use the ldappasswd utility. 

Alot of basic help can be found here http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html

Sincerely,

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJMrQkTAAoJEHF16AnLoz6JjmAP/2AnyWUT1EwoyAm8gAH6Qjoq
WC0dSHnfuYzJiw8UM3Uhzdj4LXPNLFh/bqHsgFpDxO1OwyG8OnTv40NdR9506O7e
BP0SmnADt9a8beLHM54jOfJsYHz0kH1bpHk4HkcA5zQEsl76H7IsF6m6tiFxTSII
WLrXwHTN+Z6zpo80N7Ng9GGVCxrs68gU/JQFX58lIIkSlXe2kJ7W8DAcs2q2O13x
5VPl9x2bEYugRwggDLAWwD22ETL6BAjk+qr2+yG8yLKgsg/NTyPoBkdVhHCgOBw2
vt8IGxVeeau3MLvrm/c2+dK7i2Aw9FlB94EBZo5G2QM5AfzmTqtiLAeQ8sM2tQkD
suqPijBB6aLmrnpbqjQxPgKQANv1szELBASC4qcCKHQFNeGtfueikRpgnVaGLrnq
LMOEKpnnuJQ7OrW3TmY6vZFrnKm1QD1cniuJV2Hhb3FZ8JTTq/L2Ae9NHaPKlR3F
7pXcTTTo4hXUe9h9McSv7fUPbTFC9KU/ntc9XQDS+5TLyyMsN1tuaY506v3kTGWh
wdczKBhrSLcwjvh3DUjrutaYg+oYQWOpNvzSOUAQgmLURZcb7zr0q6lstlzHzsZp
4z5jDn6sGUNHCZzzf/eRZjtR3bikQsBrfKgmuHGBVNjwpIzwAus1m1B4XeQ3lhTX
xErK6nRRH75mS3igwcMa
=qIai
-----END PGP SIGNATURE-----


More information about the freebsd-questions mailing list