LDAP Authentication from console
Indexer
indexer at internode.on.net
Thu Oct 7 17:09:08 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/10/2010, at 3:09 AM, Kevin Mai wrote:
> Didn't receive all the emails, thank god this maillist is indexed! ;)
Very handy isnt it :)
Now, about you problem.
Remove the line "auth sufficient /usr/local/lib/pam_ldap.so no_warn" and "account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user" from the login file. The login file includes system, so you only need to modify that.
In system make your file look like this
∙ #
∙ # $FreeBSD: src/etc/pam.d/system,v 1.1.30.1 2009/04/15 03:14:26 kensmith Exp $
∙ #
∙ # System-wide defaults
∙ #
∙
∙
∙ # auth
∙ auth sufficient pam_opie.so no_warn no_fake_prompts
∙ auth requisite pam_opieaccess.so no_warn allow_local
∙ #auth sufficient pam_krb5.so no_warn try_first_pass
∙ #auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
∙ auth required pam_unix.so no_warn try_first_pass nullok
∙
∙ # account
∙ #account required pam_krb5.so
∙ account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
∙ account required pam_unix.so
∙
∙ # session
∙ #session optional pam_ssh.so
session required pam_permit.so
∙ session required pam_lastlog.so no_fail
∙
∙ # password
∙ #password sufficient pam_krb5.so no_warn try_first_pass
∙ password required pam_unix.so no_warn try_first_pass
I have added 3 lines, they do not have a . preceding them
Now, after that, copy the system file to sshd. THEY SHOULD BE THE EXACT SAME. As it currently stands, Your ldap user can ssh into your server, but module order in pam is VERY important.
BACKUP YOUR PAM.D DIRECTORY BEFORE YOU DO ANYTHING. pam is very touchy, and the slightest mistake it will just panic, and throw up its hands in defeat.
Remember when doing this, that you should hold a root terminal open, to edit these files. open a second terminal and test the following
1) You can ssh in as a user in the unix files (root for example if your ssh is setup for this, else an account you have created)
2) That your ldap user can login
3) That your file user can sudo correctly
4) That your ldap user can sudo correctly.
5) That your user in files can login at a console
6) That your ldap user can login at a console.
Now, have a rescue CD handy, or remember how to single user mode freebsd if worst comes to worse (hint: press 4 at the boot loader menu, then hit enter, and mount -a the disks to gain access to /usr etc. from there fix your pam and reboot)
If any of these do not work, especially, the sshd logins, then reset your pam.d files. You DO run the risk of locking yourself out of your own server, and i have done this to myself many times.
Hopefully, this helps you get under way, and your users authenticating properly.
Sincerely
William Brown
pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iQIcBAEBAgAGBQJMrf6vAAoJEHF16AnLoz6JFI8P/2WOrhfK/9O4w0EQw+Ksw3z2
icBlz7iAZBbgobWRC/3QJTxd3b5L4yIlSUt6kMHKSPoKfG2uDv6XtIuL6OBDvKc0
px7BbtjGQXP9QjOOzDFxxR4pH5Mbp+wO7XI4GGz9CjRjCZh6vG4zcQTejbqBnIUF
e+zx1CY0andlMdTIBj012SIzsi+qoq2i6W+4/XcM4cODcamwGdH2764mkieGRDa6
cbwsfVBkNyQpQQJaGJDgPlyA7s5EpS5Nzydh4qHOwykfJgwV8cmSbZIdrgTwSFwU
9HMZZfbmdt3cYIawWVMuHGTf8QVOsTFD9g619hyMgetRdCGBnmdPjbI8pYSC0MUY
nul2JEg9skzwoxgoyi2AmIzafe4AvSZ+4+CMs4MxNbtx/1Gb/GUq5oYldXm1dtkb
9ZTLyQ28+zBJJKKWpNL0RSAZJYGXu9MP2B/VWX9LULIcDGBksiNYTmSoEnAsqrSS
Rys9prXlyK7W972WEYssaCMcs90Pcs1c7OqpHmcTjY/+u7YB9xJVcxxHS99Z6Q5z
BWESgYoQHjJKQfpv4agFKGMNcH9mWSC05HhqTz6UtKJHNcG5mq+LFTrNJDBPq9Dk
oxfGP5rlvkJR2Qw6rNRxNxTuJwkiWYpALPZom0FoI+3pcP4256ipKDa9yqdbhbQk
N+zUpSQ07jjVdn/IhgOf
=lXpn
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list