pam ssh authentication via ldap
krad
kraduk at gmail.com
Mon Feb 28 10:31:57 UTC 2011
On 28 February 2011 01:06, Tim Dunphy <bluethundr at gmail.com> wrote:
> Hello Krad and thank you for your reply!
>
>
> Well it seems that I am still unable to login to this machine using an
> LDAP account. I have tried applying the configurations you have
> provided and the result doesn't seem to have changed just yet.
>
> Here is my /usr/local/etc/ldap.conf file
>
>
> uri ldap://LBSD2.summitnjhome.com
> base dc=summitnjhome,dc=com
> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
> bindpw secret
> scope sub
> ssl start tls
> tls_cacert /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
> pam_login_attribute uid
> bind_timelimit 1
> timelimit 1
> bind_policy soft
> pam_password exop
> nss_base_passwd dc=summitnjhome,dc=com
> nss_base_shadow dc=summitnjhome,dc=com
> nss_base_group dc=summitnjhome,dc=com
> nss_base_sudo dc=summitnjhome,dc=com
> nss_initgroups_ignoreusers root,slapd
>
>
>
> #ls -l /usr/local/etc/nss_ldap.conf
> lrwxr-xr-x 1 root wheel 24 Feb 28 00:10
> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>
>
> #cat /usr/local/etc/nsswitch.conf
> #
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
> kensmith Exp $
> #
> passwd: cache files ldap [notfound=return]
> passwd_compat: files ldap
> group: cache files ldap [notfound = return]
> group_compat: nis
> sudoers: ldap
> hosts: files dns
> networks: files
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> Here is my slapd.conf file:
>
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /usr/local/etc/openldap/schema/sudo.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> loglevel 296
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> ## TLS options for slapd
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/certs/LBSD2.summitnjhome.com.key
> TLSCACertificateFile /usr/local/etc/openldap/certs/gd_bundle.crt
>
> # Load dynamic backend modules:
> modulepath /usr/local/libexec/openldap
> moduleload back_bdb
> # moduleload back_hdb
> # moduleload back_ldap
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> access to *
> by read
>
> access to attrs=userPassword by self write
> by anonymous auth
>
> access to * by self write
> by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com"
> write
> by users read
> by anonymous auth
>
> access to * by self write
> by users read
> by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database bdb
> suffix "dc=summitnjhome,dc=com"
> rootdn "cn=Manager,dc=summitnjhome,dc=com"
> rootpw {SSHA}secret
>
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/db/summitnjhome.com
> # Indices to maintain
> index objectClass,uid,uidNumber eq
> index sudoUser eq
>
>
> these are the packages I have installed
>
>
> nss_ldap-1.265_4 RFC 2307 NSS module
> openldap-sasl-client-2.4.23 Open source LDAP client implementation
> with SASL2 support
> openldap-sasl-server-2.4.23 Open source LDAP server implementation
> pam_ldap-1.8.5 A pam module for authenticating with LDAP
>
>
> And this is what happens in the ldap logs after making those changes:
>
>
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH
> base="dc=summitnjhome,dc=com" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uidNumber=1001))"
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SRCH attr=uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: OR
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
> first=106 last=137
> Feb 26 19:58:43 LBSD2 slapd[54891]: => bdb_filter_candidates
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
> first=106 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=106 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=0 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
> first=1 last=0
> Feb 26 19:58:43 LBSD2 slapd[54891]: conn=34934 op=3 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on:
> Feb 26 19:58:43 LBSD2 slapd[54891]: 425r
> Feb 26 19:58:43 LBSD2 slapd[54891]:
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: read activity on 425
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: AND
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: waked
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=6
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: daemon: select: listen=7
> active_threads=0 tvp=NULL
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter_list
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
> Feb 26 19:58:43 LBSD2 slapd[54891]: begin get_filter
> Feb 26 19:58:43 LBSD2 slapd[54891]: EQUALITY
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter_list
> Feb 26 19:58:43 LBSD2 slapd[54891]: end get_filter 0
>
> This is what's going on in the secure logs:
>
> Feb 27 19:02:05 LCENT01 su: pam_unix(su-l:session): session opened for
> user root by bluethundr(uid=10001)
>
> And this is my /etc/pam.d/sshd file:
>
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.4.1 2010/06/14 02:09:06
> kensmith Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth required pam_ldap.so
> #auth required pam_unix.so no_warn try_first_pass
>
> # account
> account required pam_nologin.so
> #account required pam_krb5.so
> account required pam_login_access.so
> account required pam_ldap.so
> #account required pam_unix.so
>
> # session
> #session optional pam_ssh.so
> session sufficient pam_ldap.so
> session required pam_permit.so
>
> # password
> #password sufficient pam_krb5.so no_warn try_first_pass
> password required pam_ldap.so
> #password required pam_unix.so no_warn try_first_pass
>
>
> I really appreciate your input Krad and I appreciate any advice anyone may have
>
> thanks
> tim
>
>
> On Sun, Feb 27, 2011 at 6:10 AM, krad <kraduk at gmail.com> wrote:
>> On 27 February 2011 11:05, krad <kraduk at gmail.com> wrote:
>>> On 26 February 2011 20:01, Tim Dunphy <bluethundr at gmail.com> wrote:
>>>> Hey list,
>>>>
>>>> I just wanted to follow up with my /usr/local/etc/ldap.conf file and
>>>> nsswitch file because I thought they might be helpful in dispensing
>>>> advice as to what is going on:
>>>>
>>>> uri ldap://LBSD2.summitnjhome.com
>>>> base ou=staff,ou=Group,dc=summitnjhome,dc=com
>>>> sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
>>>> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
>>>> bindpw secret
>>>> scope sub
>>>> pam_password exop
>>>> nss_base_passwd dc=summitnjhome,dc=com
>>>> nss_base_shadow dc=summitnjhome,dc=com
>>>> nss_base_group dc=summitnjhome,dc=com
>>>> nss_base_sudo dc=summitnjhome,dc=com
>>>>
>>>>
>>>> # nsswitch.conf(5) - name service switch configuration file
>>>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29
>>>> kensmith Exp $
>>>> #
>>>> passwd: files ldap
>>>> passwd_compat: files ldap
>>>> group: files ldap
>>>> group_compat: nis
>>>> sudoers: ldap
>>>> hosts: files dns
>>>> networks: files
>>>> shells: files
>>>> services: compat
>>>> services_compat: nis
>>>> protocols: files
>>>> rpc: files
>>>>
>>>>
>>>> On Sat, Feb 26, 2011 at 2:55 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>>>>> Hello List!!
>>>>>
>>>>> I have an OpenLDAP 2.4 server functioning very nicely that
>>>>> authenticates a network of (mostly virtual) centos 5.5 machines.
>>>>>
>>>>> But at the moment I am attempting to setup pam authentication for ssh
>>>>> via LDAP and having some difficulty.
>>>>>
>>>>> My /etc/pam.d/sshd file seems to be setup logically and correctly:
>>>>>
>>>>> # PAM configuration for the "sshd" service
>>>>> #
>>>>>
>>>>> # auth
>>>>> auth sufficient pam_opie.so no_warn no_fake_prompts
>>>>> auth requisite pam_opieaccess.so no_warn allow_local
>>>>> #auth sufficient pam_krb5.so no_warn try_first_pass
>>>>> #auth sufficient pam_ssh.so no_warn try_first_pass
>>>>> auth required pam_ldap.so
>>>>> #auth required pam_unix.so no_warn try_first_pass
>>>>>
>>>>> # account
>>>>> account required pam_nologin.so
>>>>> #account required pam_krb5.so
>>>>> account required pam_login_access.so
>>>>> account required pam_ldap.so
>>>>> #account required pam_unix.so
>>>>>
>>>>> # session
>>>>> #session optional pam_ssh.so
>>>>> session sufficient pam_ldap.so
>>>>> session required pam_permit.so
>>>>>
>>>>> # password
>>>>> #password sufficient pam_krb5.so no_warn try_first_pass
>>>>> password required pam_ldap.so
>>>>> #password required pam_unix.so no_warn try_first_pass
>>>>>
>>>>>
>>>>> And if I'm reading the logs correctly LDAP is searching for and
>>>>> finding the account information when I am making the login attempt:
>>>>>
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH
>>>>> base="dc=summitnjhome,dc=com" scope=2 deref=0
>>>>> filter="(&(objectClass=posixAccount)(uidNumber=1001
>>>>> ))"
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SRCH attr=uid
>>>>> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
>>>>> description objectCla
>>>>> ss
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: OR
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa1
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>>> first=0 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: AND
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_list_candidates 0xa0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=26
>>>>> first=106 last=137
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: => bdb_filter_candidates
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: EQUALITY
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>>> first=0 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0
>>>>> first=106 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>>> first=106 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=0 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>>> first=0 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_list_candidates: id=0 first=1 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: <= bdb_filter_candidates: id=0
>>>>> first=1 last=0
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=21358 op=22122 SEARCH RESULT
>>>>> tag=101 err=0 nentries=0 text=
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on:
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]:
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: read activity on 212
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_read(212): input
>>>>> error=-2 id=34715, closing.
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: connection_closing: readying
>>>>> conn=34715 sd=212 for close
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: activity on 1 descriptor
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: waked
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=6
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: select: listen=7
>>>>> active_threads=0 tvp=NULL
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: daemon: removing 212
>>>>> Feb 26 19:52:54 LBSD2 slapd[54891]: conn=34715 fd=212 closed (connection lost)
>>>>>
>>>>>
>>>>> But logins fail every time. Could someone offer an opinion as to what
>>>>> may be going on to prevent logging in via pam/sshd and LDAP?
>>>>>
>>>>> Thanks in advance!
>>>>> Tim
>>>>>
>>>>> --
>>>>> GPG me!!
>>>>>
>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>
>>>
>>>
>>> these are my files and are from a working setup
>>>
>>> # cat /usr/local/etc/ldap.conf
>>> #
>>> # LDAP Defaults
>>> #
>>>
>>> # See ldap.conf(5) for details
>>> # This file should be world readable but not world writable.
>>>
>>> BASE dc=XXX,dc=net
>>> URI ldap://XXX.net
>>>
>>> #SIZELIMIT 12
>>> #TIMELIMIT 15
>>> #DEREF never
>>>
>>> ssl start_tls
>>> tls_cacert /usr/local/etc/openldap/ssl/cert.crt
>>>
>>> pam_login_attribute uid
>>>
>>> sudoers_base ou=sudoers,ou=services,dc=XXX,dc=net
>>> bind_timelimit 1
>>> timelimit 1
>>> bind_policy soft
>>>
>>> nss_initgroups_ignoreusers root,slapd,krad
>>>
>>>
>>> # ls -l /usr/local/etc/nss_ldap.conf
>>> lrwxr-xr-x 1 root wheel 24 Jan 16 22:31
>>> /usr/local/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf
>>>
>>> # nsswitch.conf
>>>
>>>
>>> group: cache files ldap [notfound=return]
>>> passwd: cache files ldap [notfound=return]
>>>
>>> these packages are installs
>>>
>>> nss_ldap-1.265_4 RFC 2307 NSS module
>>> openldap-client-2.4.23 Open source LDAP client implementation
>>> openldap-server-2.4.23 Open source LDAP server implementation
>>> pam_ldap-1.8.6 A pam module for authenticating with LDAP
>>>
>>
>> and my slapd.conf
>>
>> security ssf=128
>>
>> TLSCertificateFile /usr/local/etc/openldap/ssl/cert.crt
>> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/cert.key
>> TLSCACertificateFile /usr/local/etc/openldap/ssl/cert.crt
>> include /usr/local/etc/openldap/schema/core.schema
>> include /usr/local/etc/openldap/schema/cosine.schema
>> include /usr/local/etc/openldap/schema/inetorgperson.schema
>> include /usr/local/etc/openldap/schema/nis.schema
>> #include /usr/local/etc/openldap/schema/ldapns.schema
>> include /usr/local/etc/openldap/schema/samba.schema
>> include /usr/local/etc/openldap/schema/sudo.schema
>> logfile /var/log/slapd.log
>> loglevel stats
>> pidfile /var/run/openldap/slapd.pid
>> argsfile /var/run/openldap/slapd.args
>> modulepath /usr/local/libexec/openldap
>> moduleload back_bdb
>> database bdb
>> directory /var/db/openldap-data
>> #index uid pres,eq
>> index cn,sn,uid pres,eq,sub
>> index objectClass eq
>> #index sudoUser
>> suffix "dc=XXX,dc=net"
>> rootdn "cn=krad,dc=XXX,dc=net"
>> rootpw {SSHA}FmcgJBodertOwCvnvZOo+mUAnXjrgUQa
>> access to attrs=userPassword
>> by self write
>> by anonymous auth
>> by dn.base="cn=krad,dc=XXX,dc=net" write
>> by * none
>> access to *
>> by self write
>> by dn.base="cn=krad,dc=XXX,dc=net" write
>> by * read
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
haha sorry i completely forgot about the pam files, here is mine. You
definitely need to be explicit with the path of the ldap module
[root at carrera /home/krad]# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1 2009/08/03 08:13:06 kensmith Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
#auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass ignore_authinfo_unavail
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so
no_warn ignore_authinfo_unavail ignore_unknown_user
# session
#session optional pam_ssh.so
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
More information about the freebsd-questions
mailing list