LDAP Authentication from console
Indexer
indexer at internode.on.net
Wed Oct 6 23:41:13 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/10/2010, at 10:05 AM, Michel Talon wrote:
>
> Kevin Mai wrote:
>> Logins over ssh and sudo work great with ldap, but when I try to log in
>> from console, it prompts me twice for the password.
>>
>> If I put a wrong password it prints out that it cannot bind to the ldap
>> server, what means that I'm being able to bind to ldap, but cannot login
>> for some reason.
>
>
Can you send a copy of your /etc/pam.d/sshd and /etc/pam.d/system ? What i think you have done is this
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn use_first_pass
Notice the try_first_pass options on krb5 and ldap? This will prompt for the krb5 password then prompt again for the ldap password, and then fall back to unix. It looks like this when you enter the wrong password
Password:
LDAP Password:
Password
LDAP Password:
etc ....
In your case, you likely have something else, and not krb5, but editing your file to appear like this will be of great help
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn use_first_pass
You need to set ldap to try_first_pass, and unix to use_first_pass. This will stop the "double prompting"
Also of note, is that /etc/pam.d/login is an include of system. Thus likely you have your system file setup wrong. Mine is a carbon copy of my sshd file. Here it is here
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn use_first_pass
#auth required pam_deny.so use_first_pass
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account optional pam_unix.so
account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
# session
#session optional pam_ssh.so
session required pam_permit.so
#account optional pam_krb5.so
#session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
password sufficient pam_unix.so no_warn use_first_pass
A few other hints
Make sure your certificates have the correct CN, that matches your hosts FQDN. You can specifiy them with the option tls_cacertfile and these DO NOT need converting into any weird formats, just the standard output from openssl will work.
@Michael
If you plan to use LDAP groups to control access to be able to login to a server, you need to change your ldap account line, as at this time it will allow anyone through into the system. Regardless, what i have also means that ldap is not checked for non ldap users.
Changing ldap passwords IS NOT POSSIBLE from the passwd binary. I cannot remember why but it is not. You must use the ldappasswd utility.
Alot of basic help can be found here http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html
Sincerely,
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJMrQkTAAoJEHF16AnLoz6JjmAP/2AnyWUT1EwoyAm8gAH6Qjoq
WC0dSHnfuYzJiw8UM3Uhzdj4LXPNLFh/bqHsgFpDxO1OwyG8OnTv40NdR9506O7e
BP0SmnADt9a8beLHM54jOfJsYHz0kH1bpHk4HkcA5zQEsl76H7IsF6m6tiFxTSII
WLrXwHTN+Z6zpo80N7Ng9GGVCxrs68gU/JQFX58lIIkSlXe2kJ7W8DAcs2q2O13x
5VPl9x2bEYugRwggDLAWwD22ETL6BAjk+qr2+yG8yLKgsg/NTyPoBkdVhHCgOBw2
vt8IGxVeeau3MLvrm/c2+dK7i2Aw9FlB94EBZo5G2QM5AfzmTqtiLAeQ8sM2tQkD
suqPijBB6aLmrnpbqjQxPgKQANv1szELBASC4qcCKHQFNeGtfueikRpgnVaGLrnq
LMOEKpnnuJQ7OrW3TmY6vZFrnKm1QD1cniuJV2Hhb3FZ8JTTq/L2Ae9NHaPKlR3F
7pXcTTTo4hXUe9h9McSv7fUPbTFC9KU/ntc9XQDS+5TLyyMsN1tuaY506v3kTGWh
wdczKBhrSLcwjvh3DUjrutaYg+oYQWOpNvzSOUAQgmLURZcb7zr0q6lstlzHzsZp
4z5jDn6sGUNHCZzzf/eRZjtR3bikQsBrfKgmuHGBVNjwpIzwAus1m1B4XeQ3lhTX
xErK6nRRH75mS3igwcMa
=qIai
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list