subject:"Issues while authenticating a user over openLDAP using PAM

Re: Issues while authenticating a user over openLDAP using PAM_ldap [cured]

2007-08-09 Thread Noah


see below

Andy Harrison wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 8/9/07, Noah  wrote:

running FreeBSD 6.2 Stable

we have openLDAP installed on a server called access1.  Users on access1
appear to not be able to ssh to access1.  The ssh authentication method
uses PAM ldap.  PAM_ldap reports "Invalid credentials" in /var/log/messages

We have another server called access2 that authenticates to the the ldap
server running on access1.  those users log in via ssh without issue on
access2.

I am trying to track down what is broken.  I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
much appreciated.




What about your nsswitch.conf file?




thanks Andy - that was it!

I matched the lines of access1's nsswitch.conf to access2's 
nsswitch.conf file


and things are fine!





- --
Andy Harrison
public key: 0x67518262
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf
l+t2S41Im4TNPEoE8HF3jDc=
=aI1r
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Issues while authenticating a user over openLDAP using PAM_ldap

2007-08-09 Thread Andy Harrison

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 8/9/07, Noah  wrote:
> running FreeBSD 6.2 Stable
>
> we have openLDAP installed on a server called access1.  Users on access1
> appear to not be able to ssh to access1.  The ssh authentication method
> uses PAM ldap.  PAM_ldap reports "Invalid credentials" in /var/log/messages
>
> We have another server called access2 that authenticates to the the ldap
> server running on access1.  those users log in via ssh without issue on
> access2.
>
> I am trying to track down what is broken.  I am not even sure how to
> receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
> much appreciated.
>
>

What about your nsswitch.conf file?

- --
Andy Harrison
public key: 0x67518262
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf
l+t2S41Im4TNPEoE8HF3jDc=
=aI1r
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Issues while authenticating a user over openLDAP using PAM_ldap

2007-08-09 Thread Noah


running FreeBSD 6.2 Stable

we have openLDAP installed on a server called access1.  Users on access1
appear to not be able to ssh to access1.  The ssh authentication method
uses PAM ldap.  PAM_ldap reports "Invalid credentials" in /var/log/messages

We have another server called access2 that authenticates to the the ldap
server running on access1.  those users log in via ssh without issue on
access2.

I am trying to track down what is broken.  I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
much appreciated.




Aug  9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as
user "cn=Test User,cn=people,dc=blah,dc=blah,dc=com" (Invalid credentials)

related rc.conf lines on access1:
slapd_enable="YES"
slapd_flags='-h "ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/"; -f
/usr/local/etc/openldap/slapd.conf'
slapd_sockets="/var/run/openldap/ldapi"
sshd_enable="YES"
sshd_program="/usr/local/sbin/sshd"


access1# cat /etc/pam.d/ldap
# debug
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug
# debug
# PAM configuration for the "sshd" service debug
# debug

# auth debug

authsufficient  /usr/local/lib/pam_ldap.so  no_warn
try_first_pass debug
authrequiredpam_nologin.so  no_warn debug
authsufficient  pam_opie.so no_warn
no_fake_prompts debug
authrequisite   pam_opieaccess.so   no_warn
allow_local debug
#auth   sufficient  pam_krb5.so no_warn
try_first_pass debug
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass debug
authrequiredpam_unix.so no_warn
try_first_pass debug

# account debug
#accountrequiredpam_krb5.so debug
account requiredpam_login_access.so debug
account requiredpam_unix.so debug

# session debug
#sessionoptionalpam_ssh.so debug
session required/usr/local/lib/pam_mkhomedir.so
#session required/usr/local/lib/pam_mkhomedir.so
skel=/etc/skel/ umask=0077 debug
session requiredpam_permit.so debug

# password debug
#password   sufficient  pam_krb5.so no_warn
try_first_pass debug
passwordrequiredpam_unix.so no_warn
try_first_pass debug


access1
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
checkpassword-pam-0.99 Implementation of checkpassword authentication
program
nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd
p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for
identifying spam
pam_ldap-1.8.2  A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
razor-agents-2.84   A distributed, collaborative, spam detection and
filtering
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
ldapsh-2.00_2,1 Interactive shell used to administer ldap directories
nss_ldap-1.255  RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
p5-perl-ldap-0.34   A Client interface to LDAP servers
pam_ldap-1.8.2  A pam module for authenticating with LDAP
php5-ldap-5.2.3_1   The ldap shared extension for php
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss-3.11.7  Libraries to support development of security-enabled
applic
nss_ldap-1.255  RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
openssl-0.9.8e_1SSL and crypto library
php5-openssl-5.2.3_1 The openssl shared extension for php
py25-openssl-0.6Python interface to the OpenSSL library
[EMAIL PROTECTED] ~]$


access2 files
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
pam_ldap-1.8.2  A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
nss_ldap-1.255  RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
pam_ldap-1.8.2  A pam module for authenticating with LDAP
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss_ldap-1.255  RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
[EMAIL PROTECTED] ~]$



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Issues while authenticating a user over openLDAP using PAM_ldap [cured]

Re: Issues while authenticating a user over openLDAP using PAM_ldap

Issues while authenticating a user over openLDAP using PAM_ldap

3 matches

Site Navigation

Mail list logo

Footer information