Hi!

Daniel Bond wrote:
# auth
...

This pam.d/ssh config working fine for me:

# auth
auth            required        pam_nologin.so          no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so debug umask=0077 skel=/usr/local/share/skel
session         required        pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass

I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are
anyway:


/usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
/usr/local/etc/ldap.conf -> openldap/ldap.conf

I'm not sure is it correct.
etc/ldap.conf and etc/openldap/ldap.conf -- different files for different purposes.
etc/nss_ldap.conf -> etc/ldap.conf -- it's correct.

# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

base    dc=nsn, dc=no
HOST    1.slave.1881.int.nsn.no master.1881.int.nsn.no

port 389
ldap_version 3
bind_policy soft
^^^^^^^^^^^^^^^^^^

Try replace to
bind_policy hard

Developers doesn't like "soft". I don't know why, but it periodically it's broken in new versions nss_ldap (2 time for last 3 years AFAIR). I'm not sure about current status. It must be tested.

Also try

echo "debug 9" >> /usr/local/etc/ldap.conf

For details see
slapd.conf(5) about loglevel

WBR.
Dmitriy
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to