LDAP Authentication from console

Indexer indexer at internode.on.net
Thu Oct 7 17:09:08 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 08/10/2010, at 3:09 AM, Kevin Mai wrote:

> Didn't receive all the emails, thank god this maillist is indexed! ;)

Very handy isnt it :)

Now, about you problem.

Remove the line "auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn" and "account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user" from the login file. The login file includes system, so you only need to modify that.

In system make your file look like this


	∙ #
	∙ # $FreeBSD: src/etc/pam.d/system,v 1.1.30.1 2009/04/15 03:14:26 kensmith Exp $
	∙ #
	∙ # System-wide defaults
	∙ #
	∙  
	∙  
	∙ # auth
	∙ auth            sufficient      pam_opie.so             no_warn no_fake_prompts
	∙ auth            requisite       pam_opieaccess.so       no_warn allow_local
	∙ #auth           sufficient      pam_krb5.so             no_warn try_first_pass
	∙ #auth           sufficient      pam_ssh.so              no_warn try_first_pass
	auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn
	∙ auth            required        pam_unix.so             no_warn try_first_pass nullok
	∙  
	∙ # account
	∙ #account        required        pam_krb5.so
	∙ account         required        pam_login_access.so
	account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
	∙ account         required        pam_unix.so
	∙  
	∙ # session
	∙ #session        optional        pam_ssh.so
	session required pam_permit.so
	∙ session         required        pam_lastlog.so          no_fail
	∙  
	∙ # password
	∙ #password       sufficient      pam_krb5.so             no_warn try_first_pass
	∙ password        required        pam_unix.so             no_warn try_first_pass

I have added 3 lines, they do not have a . preceding them


Now, after that, copy the system file to sshd. THEY SHOULD BE THE EXACT SAME. As it currently stands, Your ldap user can ssh into your server, but module order in pam is VERY important. 

BACKUP YOUR PAM.D DIRECTORY BEFORE YOU DO ANYTHING. pam is very touchy, and the slightest mistake it will just panic, and throw up its hands in defeat.

Remember when doing this, that you should hold a root terminal open, to edit these files. open a second terminal and test the following

1) You can ssh in as a user in the unix files (root for example if your ssh is setup for this, else an account you have created)
2) That your ldap user can login
3) That your file user can sudo correctly
4) That your ldap user can sudo correctly.
5) That your user in files can login at a console
6) That your ldap user can login at a  console.

Now, have a rescue CD handy, or remember how to single user mode freebsd if worst comes to worse (hint: press 4 at the boot loader menu, then hit enter, and mount -a the disks to gain access to /usr etc. from there fix your pam and reboot)

If any of these do not work, especially, the sshd logins, then reset your pam.d files. You DO run the risk of locking yourself out of your own server, and i have done this to myself many times. 

Hopefully, this helps you get under way, and your users authenticating properly. 


Sincerely

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJMrf6vAAoJEHF16AnLoz6JFI8P/2WOrhfK/9O4w0EQw+Ksw3z2
icBlz7iAZBbgobWRC/3QJTxd3b5L4yIlSUt6kMHKSPoKfG2uDv6XtIuL6OBDvKc0
px7BbtjGQXP9QjOOzDFxxR4pH5Mbp+wO7XI4GGz9CjRjCZh6vG4zcQTejbqBnIUF
e+zx1CY0andlMdTIBj012SIzsi+qoq2i6W+4/XcM4cODcamwGdH2764mkieGRDa6
cbwsfVBkNyQpQQJaGJDgPlyA7s5EpS5Nzydh4qHOwykfJgwV8cmSbZIdrgTwSFwU
9HMZZfbmdt3cYIawWVMuHGTf8QVOsTFD9g619hyMgetRdCGBnmdPjbI8pYSC0MUY
nul2JEg9skzwoxgoyi2AmIzafe4AvSZ+4+CMs4MxNbtx/1Gb/GUq5oYldXm1dtkb
9ZTLyQ28+zBJJKKWpNL0RSAZJYGXu9MP2B/VWX9LULIcDGBksiNYTmSoEnAsqrSS
Rys9prXlyK7W972WEYssaCMcs90Pcs1c7OqpHmcTjY/+u7YB9xJVcxxHS99Z6Q5z
BWESgYoQHjJKQfpv4agFKGMNcH9mWSC05HhqTz6UtKJHNcG5mq+LFTrNJDBPq9Dk
oxfGP5rlvkJR2Qw6rNRxNxTuJwkiWYpALPZom0FoI+3pcP4256ipKDa9yqdbhbQk
N+zUpSQ07jjVdn/IhgOf
=lXpn
-----END PGP SIGNATURE-----


More information about the freebsd-questions mailing list