LDAP bind to Open Directory

markham breitbach markhamb at corp.ssimicro.com
Fri Apr 24 03:25:26 UTC 2015


It looks like you are using a different auth method on the new server:

>> CRAM-MD5 authentication failed.

The old Mac server appears to be using DIGEST-MD5

I'm not sure how that gets configured though.  I have always used
LDAP-TLS to ensure that my passwords are protected in transit.


On 2015-04-23 3:25 PM, Jaime Kikpole wrote:
> I *think* I have a FreeBSD system set up as an LDAP client.  I could
> be wrong about that, but it looks like I've got everything but
> password checks.  I was hoping someone here could help.
> I made a new VM with FreeBSD 10.1.  I have pam_ldap and nss_ldap
> installed and (as far as I can tell) configured.  I added a line to
> /etc/pam.d/sshd to enable LDAP accounts to login over SSH.  I figured
> this was a place to test.  I can still SSH as a local user, but LDAP
> users aren't authenticating.  When the LDAP user "testdoc6" tries to
> SSH in, /var/log/messages shows this:
> Apr 23 16:27:51 fstest1 sshd[819]: pam_ldap: error trying to bind as
> user "uid=testdoc6,cn=users,dc=dir,dc=cairodurham,dc=org" (Invalid
> credentials)
> Apr 23 16:27:51 fstest1 sshd[815]: error: PAM: authentication error
> for illegal user testdoc6 from
> On the LDAP server, I see messages like this:
> Apr 23 2015 16:27:51 520401us    AUTH2:
> {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} CRAM-MD5 authentication
> failed, SASL error -13 (password incorrect).
> By contrast, when I successfully login to an old Mac file server with
> testdoc6, the directory server shows this:
> Apr 23 2015 16:20:23 783104us    AUTH2:
> {0x2eef29585ec611e495c7406c8f39f47e, testdoc6} DIGEST-MD5
> authentication succeeded.
> The directory server's messages appear in what Apple named "Password
> Service Server Log".
> Can anyone help me figure out what I did wrong?

More information about the freebsd-questions mailing list