On 23-May-06, at 8:48 PM, Atom Powers wrote:

On 5/23/06, Jason Lixfeld <jason+lists.freebsd- [EMAIL PROTECTED]> wrote:
I'm using openssh-portable and the latest versions of openldap,
pam_ldap and nss_ldap.  It appears as though the system is using

I'm not using ssh-portable, but I have it working with the built-in ssh.

built-in works? Interesting. Reason I'm using -portable was because I read that the built-in ssh didn't support PAM.

I will try the built-in and see what happens.

user password, even after I enter it in.  I tried putting the
pam_ldap lib in the password section of the /etc/pam.d/sshd file, but
that was useless too.  Local users can ssh in fine.

The pam.d config would be my first guess. What gets logged to all.log?

I have no all.log currently. The only thing showing up in messages though is:

May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP server - Server is unavailable

That error seems to creep up only when I restart slapd though.

I searched through the bugs and it seems there is a bug in nss_ldap
with regards to getpwuid, but that seems to be more if an indicator
about why finger doesn't work, not why ssh does't work

# id testuser seems to work, finger doesn't.  Curious.  Anyway, it
still appears as though at least some portions of the system are
using LDAP, which is good.
$ id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
$ finger testuser
finger: testuser: no such user

id works because it's using the name service to look up the user (you
added ldap to your nsswitch.conf, right?)

finger doesn't work because you don't have a /etc/pam.d/finger file.
Either create one or add pam_ldap to your /etc/pam.d/system file. (I
always create a new conf file for my ldap enabled apps)

Interesting. Finger *did* work during some of my first attempts at getting this working. I changed something (I don't recall what) and then finger stopped working.

Here is my /etc/pam.d/sshd file, I use the exact same file for all my
ldap enabled apps.:
(if somebody sees a bug in there, or can suggest any improvement, by
all means let me know.)

# auth
auth            sufficient      /usr/local/lib/pam_ldap.so
auth            required        pam_nologin.so          no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass

# account
account         sufficient      /usr/local/lib/pam_ldap.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass

This seems to all work now with built-in ssh.  How strange.

Now, I seem to have hit another snag and a bug (Both of which I remember reading about this in my travels:)

$id testuser
id: testuser: no such user
# sudo su
# id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
# cd ~testuser
# pwd
%id testuser
id: testuser: no such user
%ls -al
Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL), function do_init, file ldap-nss.c, line 1193.
Abort (core dumped)

Perfection is just a word I use occasionally with mustard.
--Atom Powers--

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to