Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0

Dmitriy Kirhlarov dimma at higis.ru
Tue Mar 18 03:18:44 PDT 2008 

Hi!

Daniel Bond wrote:
> # auth
...

This pam.d/ssh config working fine for me:

# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so 
ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        /usr/local/lib/pam_mkhomedir.so  debug 
umask=0077 skel=/usr/local/share/skel
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass

> I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are
> anyway:
> 
> 
> /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
> /usr/local/etc/ldap.conf -> openldap/ldap.conf

I'm not sure is it correct.
etc/ldap.conf and etc/openldap/ldap.conf -- different files for 
different purposes.
etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.

> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> base    dc=nsn, dc=no
> HOST    1.slave.1881.int.nsn.no master.1881.int.nsn.no
> 
> port 389
> ldap_version 3
> bind_policy soft
^^^^^^^^^^^^^^^^^^

Try replace to
bind_policy hard

Developers doesn't like "soft". I don't know why, but it periodically 
it's broken in new versions nss_ldap (2 time for last 3 years AFAIR). 
I'm not sure about current status. It must be tested.

Also try

echo "debug 9" >> /usr/local/etc/ldap.conf

For details see
slapd.conf(5) about loglevel

WBR.
Dmitriy

More information about the freebsd-stable mailing list