Problems combining nss_ldap/pam_ldap with pam_mkhomedir in
FreeBSD 7.0
Dmitriy Kirhlarov
dimma at higis.ru
Tue Mar 18 03:18:44 PDT 2008
Hi!
Daniel Bond wrote:
> # auth
...
This pam.d/ssh config working fine for me:
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so debug
umask=0077 skel=/usr/local/share/skel
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
> I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are
> anyway:
>
>
> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
> /usr/local/etc/ldap.conf -> openldap/ldap.conf
I'm not sure is it correct.
etc/ldap.conf and etc/openldap/ldap.conf -- different files for
different purposes.
etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> base dc=nsn, dc=no
> HOST 1.slave.1881.int.nsn.no master.1881.int.nsn.no
>
> port 389
> ldap_version 3
> bind_policy soft
^^^^^^^^^^^^^^^^^^
Try replace to
bind_policy hard
Developers doesn't like "soft". I don't know why, but it periodically
it's broken in new versions nss_ldap (2 time for last 3 years AFAIR).
I'm not sure about current status. It must be tested.
Also try
echo "debug 9" >> /usr/local/etc/ldap.conf
For details see
slapd.conf(5) about loglevel
WBR.
Dmitriy
More information about the freebsd-stable
mailing list