running FreeBSD 6.2 Stable
we have openLDAP installed on a server called access1. Users on access1
appear to not be able to ssh to access1. The ssh authentication method
uses PAM ldap. PAM_ldap reports "Invalid credentials" in /var/log/messages
We have another server called access2 that authenticates to the the ldap
server running on access1. those users log in via ssh without issue on
access2.
I am trying to track down what is broken. I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap. Any assistance is
much appreciated.
Aug 9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as
user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid credentials)
related rc.conf lines on access1:
slapd_enable="YES"
slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/"; -f
/usr/local/etc/openldap/slapd.conf'
slapd_sockets="/var/run/openldap/ldapi"
sshd_enable="YES"
sshd_program="/usr/local/sbin/sshd"
access1# cat /etc/pam.d/ldap
# debug
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug
# debug
# PAM configuration for the "sshd" service debug
# debug
# auth debug
authsufficient /usr/local/lib/pam_ldap.so no_warn
try_first_pass debug
authrequiredpam_nologin.so no_warn debug
authsufficient pam_opie.so no_warn
no_fake_prompts debug
authrequisite pam_opieaccess.so no_warn
allow_local debug
#auth sufficient pam_krb5.so no_warn
try_first_pass debug
#auth sufficient pam_ssh.so no_warn
try_first_pass debug
authrequiredpam_unix.so no_warn
try_first_pass debug
# account debug
#accountrequiredpam_krb5.so debug
account requiredpam_login_access.so debug
account requiredpam_unix.so debug
# session debug
#sessionoptionalpam_ssh.so debug
session required/usr/local/lib/pam_mkhomedir.so
#session required/usr/local/lib/pam_mkhomedir.so
skel=/etc/skel/ umask=0077 debug
session requiredpam_permit.so debug
# password debug
#password sufficient pam_krb5.so no_warn
try_first_pass debug
passwordrequiredpam_unix.so no_warn
try_first_pass debug
access1
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
checkpassword-pam-0.99 Implementation of checkpassword authentication
program
nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd
p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for
identifying spam
pam_ldap-1.8.2 A pam module for authenticating with LDAP
pam_mkhomedir-0.1 Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
razor-agents-2.84 A distributed, collaborative, spam detection and
filtering
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
ldapsh-2.00_2,1 Interactive shell used to administer ldap directories
nss_ldap-1.255 RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
p5-perl-ldap-0.34 A Client interface to LDAP servers
pam_ldap-1.8.2 A pam module for authenticating with LDAP
php5-ldap-5.2.3_1 The ldap shared extension for php
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss-3.11.7 Libraries to support development of security-enabled
applic
nss_ldap-1.255 RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
openssl-0.9.8e_1SSL and crypto library
php5-openssl-5.2.3_1 The openssl shared extension for php
py25-openssl-0.6Python interface to the OpenSSL library
[EMAIL PROTECTED] ~]$
access2 files
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
pam_ldap-1.8.2 A pam module for authenticating with LDAP
pam_mkhomedir-0.1 Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
nss_ldap-1.255 RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
pam_ldap-1.8.2 A pam module for authenticating with LDAP
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss_ldap-1.255 RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
[EMAIL PROTECTED] ~]$
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"