pam ssh authentication via ldap
krad
kraduk at gmail.com
Sun Feb 27 11:05:39 UTC 2011
On 26 February 2011 20:01, Tim Dunphy <bluethundr at gmail.com> wrote:
> Hey list,
>
> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
> nsswitch file because I thought they might be helpful in dispensing
> advice as to what is going on:
>
> uri ldap://LBSD2.summitnjhome.com
> base ou=staff,ou=Group,dc=summitnjhome,dc=com
> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
> bindpw secret
> scope sub
> pam_password exop
> nss_base_passwd dc=summitnjhome,dc=com
> nss_base_shadow dc=summitnjhome,dc=com
> nss_base_group dc=summitnjhome,dc=com
> nss_base_sudo dc=summitnjhome,dc=com
>
>
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
> kensmith Exp $
> #
> passwd: files ldap
> passwd_compat: files ldap
> group: files ldap
> group_compat: nis
> sudoers: ldap
> hosts: files dns
> networks: files
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
>
> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>> Hello List!!
>>
>> I have an OpenLDAP 2.4 server functioning very nicely that
>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>
>> But at the moment I am attempting to setup pam authentication for ssh
>> via LDAP and having some difficulty.
>>
>> My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>
>> # PAM configuration for the "sshd" service
>> #
>>
>> # auth
>> auth sufficient pam_opie.so no_warn no_fake_prompts
>> auth requisite pam_opieaccess.so no_warn allow_local
>> #auth sufficient pam_krb5.so no_warn try_first_pass
>> #auth sufficient pam_ssh.so no_warn try_first_pass
>> auth required pam_ldap.so
>> #auth required pam_unix.so no_warn try_first_pass
>>
>> # account
>> account required pam_nologin.so
>> #account required pam_krb5.so
>> account required pam_login_access.so
>> account required pam_ldap.so
>> #account required pam_unix.so
>>
>> # session
>> #session optional pam_ssh.so
>> session sufficient pam_ldap.so
>> session required pam_permit.so
>>
>> # password
>> #password sufficient pam_krb5.so no_warn try_first_pass
>> password required pam_ldap.so
>> #password required pam_unix.so no_warn try_first_pass
>>
>>
>> And if I'm reading the logs correctly LDAP is searching for and
>> finding the account information when I am making the login attempt:
>>
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
>> base="dc=summitnjhome,dc=com" scope=2 deref=0
>> filter="(&(objectClass=posixAccount)(uidNumber=1001
>> ))"
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>> description objectCla
>> ss
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>> first=0 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
>> first=106 last=137
>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>> first=0 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
>> first=106 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>> first=106 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>> first=0 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>> first=1 last=0
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
>> tag=101 err=0 nentries=0 text=
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>> error=-2 id=34715, closing.
>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>> conn=34715 sd=212 for close
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>> active_threads=0 tvp=NULL
>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)
>>
>>
>> But logins fail every time. Could someone offer an opinion as to what
>> may be going on to prevent logging in via pam/sshd and LDAP?
>>
>> Thanks in advance!
>> Tim
>>
>> --
>> GPG me!!
>>
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
these are my files and are from a working setup
# cat /usr/local/etc/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=XXX,dc=net
URI ldap://XXX.net
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
ssl start_tls
tls_cacert /usr/local/etc/openldap/ssl/cert.crt
pam_login_attribute uid
sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net
bind_timelimit 1
timelimit 1
bind_policy soft
nss_initgroups_ignoreusers root,slapd,krad
# ls -l /usr/local/etc/nss_ldap.conf
lrwxr-xr-x 1 root wheel 24 Jan 16 22:31
/usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
# nsswitch.conf
group: cache files ldap [notfound=return]
passwd: cache files ldap [notfound=return]
these packages are installs
nss_ldap-1.265_4 RFC 2307 NSS module
openldap-client-2.4.23 Open source LDAP client implementation
openldap-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.6 A pam module for authenticating with LDAP
More information about the freebsd-questions
mailing list