Trouble with LDAP-authentication to Apple Open Directory

Aleksander Steffensen post at
Thu May 26 12:13:34 UTC 2011

Hash: SHA1


Yesterday I finally managed to get my FreeBSD 8.2-STABLE box to actually authenticate to the Xserve, running Open Directory on Mac OS X 10.5 Server. I was able to log in to the FreeBSD box ( as a directory user via SSH and also via netatalk. 

Unfortunately, after a while, it stopped working. I can't remember doing anything at all... As far as I know, I made no changes in the configuration neither on the Xserve nor on the FreeBSD box. This is what happens when I try to log in via SSH. 

> mp-aleks:~ aleksander$ ssh alekstef at
> Password: 
> alekstef at's password: 
> Connection closed by

Notice that I enter the password once, and then it asks for the password once more, but it won't accept the password. Here is the auth.log on

> May 26 13:18:24 egil sshd[5347]: error: PAM: user account has expired for alekstef from
> May 26 13:18:28 egil sshd[5347]: Failed password for alekstef from port 62114 ssh2

I know for a fact that the user account is not expired in Open Directory. I have also checked the logs on the Xserve, but can't find anything relevant to the problem, so I assume the problem is on the FreeBSD-box. Here's the part of my nss_ldap.conf file on, that is not commented out. Everything else is the default:

> host
> base dc=jangunnar,dc=kreativsone,dc=no
> ldap_version 3
> port 389
> scope one
> bind_policy soft 
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_groupdn cn=lagring,cn=groups,dc=jangunnar,dc=kreativsone,dc=no
> pam_member_attribute memberUid
> pam_password crypt
> nss_base_passwd         cn=users,dc=jangunnar,dc=kreativsone,dc=no?one
> nss_base_shadow         cn=users,dc=jangunnar,dc=kreativsone,dc=no?one
> nss_base_group          cn=groups,dc=jangunnar,dc=kreativsone,dc=no?one
> ssl off

I tried commenting out the pam_groupdn and pam_member_attributes with no success. I was hoping to restrict login to to the group "lagring", but it didn't seem to work.


> auth            sufficient                     no_warn no_fake_prompts
> auth            requisite               no_warn allow_local
> auth            sufficient      /usr/local/lib/      no_warn
> auth            required                     no_warn try_first_pass
> # account
> account         required
> account         required
> account         required        /usr/local/lib/      no_warn ignore_authinfo_unavail ignore_unknown_user
> account         required
> # session
> session         required
> # password
> password        required                     no_warn try_first_pass


> auth            sufficient      /usr/local/lib/      no_warn
> auth            include         system
> account         include         system
> password        include         system
> session         include         system
> account         required        /usr/local/lib/      no_warn ignore_authinfo_unavail ignore_unknown_user

I really need to get this working again. Any help is highly appreciated. Please ask if you need more information. Thanks!

Best regards,
Aleksander Steffensen
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -


More information about the freebsd-questions mailing list