[SOLVED] Upgrade to 8.3 broke pam_ldap

[Olivier Nicole]

Hi,

I did it...

 After upgrading from 7.3 o 8.3 pam_ldap stopped working.
 
 LDAP server has been running on a different machine for ages, it is
 still running.
 
 Connection to the server is still there: when I enter a wrong password
 I get a distinct error message.
 
 When I enter the correct password, I get: 
 
   Sep 11 18:05:00 ufo2 login: pam_acct_mgmt(): error in service module
 
 I recompiled openldap_client, pam_ldap and nss_ldap, but not to avail.

Stupid mistake, when I upgraded I erased the modified contents of 
/etc/nss_switch.conf

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Upgrade to 8.3 broke pam_ldap

[Olivier Nicole]

Hi,

After upgrading from 7.3 o 8.3 pam_ldap stopped working.

LDAP server has been running on a different machine for ages, it is
still running.

Connection to the server is still there: when I enter a wrong password
I get a distinct error message.

When I enter the correct password, I get: 

  Sep 11 18:05:00 ufo2 login: pam_acct_mgmt(): error in service module

I recompiled openldap_client, pam_ldap and nss_ldap, but not to avail.

Any help is most welcome.

Best regards,

Olivier
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Optimizing pam_ldap and nss_ldap

[c0re]

Hello freebsd users!

I've got Openldap 2.4.23 that used as authentication and authorization
server for about 40-50 servers.
OS - FreeBSD 8.1.

It's not heavy loaded.

openldap# top -SP
last pid: 45647;  load averages:  0.15,  0.15,  0.07

up 81+22:29:21  15:18:57
99 processes:  3 running, 80 sleeping, 16 waiting
CPU 0:  0.7% user,  0.0% nice,  0.0% system,  0.0% interrupt, 99.3% idle
CPU 1:  0.4% user,  0.0% nice,  0.7% system,  0.0% interrupt, 98.9% idle
Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
Swap: 4060M Total, 8K Used, 4060M Free

  PID USERNAME   THR PRI NICE   SIZERES STATE   C   TIME   WCPU COMMAND
   11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle
 4773 ldap18  440   398M 53748K ucond   1  41.1H  0.00% slapd

But on my servers sometimes I see in logs something like

on FTP-server:
Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server -
Server is unavailable

Authentication works fine, no problems. But want to find out what can be
wrong.

To understand this problem I installed ldap-stats utility and made it run:

/var/log/debug.log - it's half day openldap server usage log.

openldap# ldap-stats -c 1000 /var/log/debug.log


Report Generated on Tue Apr  5 15:16:47 2011

Processed /var/log/debug.log:  Apr  5 00:00:00 - Apr  5 15:17:33


Operation totals

Total operations  : 913845
Total connections : 101226
Total authentication failures : 2
Total binds   : 99700
Total unbinds : 99181
Total searches: 714964
Total compares: 7
Total modifications   : 0
Total modrdns : 0
Total additions   : 0
Total deletions   : 0
Unindexed attribute requests  : 0
Operations per connection : 9.03


# UsesFilter
-----
  615504  ((objectClass=posixAccount)(uid=mailer-daemon))
  90699   ((objectClass=posixGroup))
  6833((objectClass=posixAccount)(uid=root))
  2236((objectClass=posixAccount)(uid=hiddenuser1))
  669 ((objectClass=posixGroup)(memberUid=root))
  318 ((objectClass=posixAccount)(uid=testacc))
  87  ((objectClass=posixGroup)(memberUid=postfix))
  87  ((objectClass=posixAccount)(uid=postfix))
  81  (objectClass=posixAccount)
  68  ((objectClass=posixAccount)(uid=debian-exim))
  68  ((objectClass=posixGroup)(memberUid=Debian-exim))
  39  ((objectClass=posixAccount)(uid=normaluser))
  34  ((objectClass=posixAccount)(uidNumber=7333))
  30  ((objectClass=posixGroup)(memberUid=hiddenuser1))
  29  ((objectClass=posixGroup)(memberUid=chelovek))
  29  ((objectClass=posixAccount)(uid=chelovek))
  27  ((objectClass=posixAccount)(uid=user0))
  23  ((objectClass=posixAccount)(uid=nobody))
  21  ((objectClass=posixAccount)(uid=user1))
  18  ((objectClass=posixAccount)(uid=user2))
  16  ((objectClass=posixAccount)(uid=user3))
  15  ((objectClass=posixAccount)(uid=user4))
  12  ((objectClass=posixAccount)(uid=user5))
  11  ((objectClass=posixAccount)(uidNumber=7330))
  10  ((objectClass=posixAccount)(uid=user15))
  9   ((objectClass=posixAccount)(uid=user16))
  8   ((objectClass=posixAccount)(uidNumber=7333))
  6   ((objectClass=posixAccount)(uid=user6))
  5   ((objectClass=posixAccount)(uid=user7))
  5   (cn=defaults)
  4   ((objectClass=posixAccount)(uidNumber=7228))
  4   ((objectClass=shadowAccount)(uid=user1))
  4   ((objectClass=posixAccount)(uid=user9))
  4   ((objectClass=posixAccount)(uid=user10))
  4   ((objectClass=posixAccount)(uid=user11))
  3   ((objectClass=posixAccount)(uid=user12))
  3   ((objectClass=posixAccount)(uid=user13))
  3   ((objectClass=posixAccount)(uid=user14))
...
and MANY others that has 1 use in this stats.
I think this many queries from mail relay server.
* user1 and etc - users that relayed, like us...@domain.com in rcpt to
field in email at mail-relay.

What can I do to tune nss? Can you point me in a right direction? There's
too many not needed nss requests to ldap (when email recieved and then
relayed somewhere).
Do not know what to look at.
If you need any additional information, logs and etc - I'll provide it.

Thanks in advance!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

RE: Optimizing pam_ldap and nss_ldap

[Michael J. Kearney]

Don't know ... I couldn't ever get pam_ldap to work. It was caught in a 
permanent wait state. The ldap server NEVER replied.


Computer Assistant
Nvita.org
12400 Midsummer Ln, Suite 201A
Woodbridge, VA 22192
Phone - (202) 455-9065
Web - http://www.nvita.org/free-shells.aspx



-Original Message-
From: owner-freebsd-questi...@freebsd.org 
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of c0re
Sent: Thursday, April 07, 2011 1:38 AM
To: FreeBSD
Subject: Optimizing pam_ldap and nss_ldap

Hello freebsd users!

I've got Openldap 2.4.23 that used as authentication and authorization
server for about 40-50 servers.
OS - FreeBSD 8.1.

It's not heavy loaded.

openldap# top -SP
last pid: 45647;  load averages:  0.15,  0.15,  0.07

up 81+22:29:21  15:18:57
99 processes:  3 running, 80 sleeping, 16 waiting
CPU 0:  0.7% user,  0.0% nice,  0.0% system,  0.0% interrupt, 99.3% idle
CPU 1:  0.4% user,  0.0% nice,  0.7% system,  0.0% interrupt, 98.9% idle
Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
Swap: 4060M Total, 8K Used, 4060M Free

  PID USERNAME   THR PRI NICE   SIZERES STATE   C   TIME   WCPU COMMAND
   11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle
 4773 ldap18  440   398M 53748K ucond   1  41.1H  0.00% slapd

But on my servers sometimes I see in logs something like

on FTP-server:
Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server -
Server is unavailable

Authentication works fine, no problems. But want to find out what can be
wrong.

To understand this problem I installed ldap-stats utility and made it run:

/var/log/debug.log - it's half day openldap server usage log.

openldap# ldap-stats -c 1000 /var/log/debug.log


Report Generated on Tue Apr  5 15:16:47 2011

Processed /var/log/debug.log:  Apr  5 00:00:00 - Apr  5 15:17:33


Operation totals

Total operations  : 913845
Total connections : 101226
Total authentication failures : 2
Total binds   : 99700
Total unbinds : 99181
Total searches: 714964
Total compares: 7
Total modifications   : 0
Total modrdns : 0
Total additions   : 0
Total deletions   : 0
Unindexed attribute requests  : 0
Operations per connection : 9.03


# UsesFilter
-----
  615504  ((objectClass=posixAccount)(uid=mailer-daemon))
  90699   ((objectClass=posixGroup))
  6833((objectClass=posixAccount)(uid=root))
  2236((objectClass=posixAccount)(uid=hiddenuser1))
  669 ((objectClass=posixGroup)(memberUid=root))
  318 ((objectClass=posixAccount)(uid=testacc))
  87  ((objectClass=posixGroup)(memberUid=postfix))
  87  ((objectClass=posixAccount)(uid=postfix))
  81  (objectClass=posixAccount)
  68  ((objectClass=posixAccount)(uid=debian-exim))
  68  ((objectClass=posixGroup)(memberUid=Debian-exim))
  39  ((objectClass=posixAccount)(uid=normaluser))
  34  ((objectClass=posixAccount)(uidNumber=7333))
  30  ((objectClass=posixGroup)(memberUid=hiddenuser1))
  29  ((objectClass=posixGroup)(memberUid=chelovek))
  29  ((objectClass=posixAccount)(uid=chelovek))
  27  ((objectClass=posixAccount)(uid=user0))
  23  ((objectClass=posixAccount)(uid=nobody))
  21  ((objectClass=posixAccount)(uid=user1))
  18  ((objectClass=posixAccount)(uid=user2))
  16  ((objectClass=posixAccount)(uid=user3))
  15  ((objectClass=posixAccount)(uid=user4))
  12  ((objectClass=posixAccount)(uid=user5))
  11  ((objectClass=posixAccount)(uidNumber=7330))
  10  ((objectClass=posixAccount)(uid=user15))
  9   ((objectClass=posixAccount)(uid=user16))
  8   ((objectClass=posixAccount)(uidNumber=7333))
  6   ((objectClass=posixAccount)(uid=user6))
  5   ((objectClass=posixAccount)(uid=user7))
  5   (cn=defaults)
  4   ((objectClass=posixAccount)(uidNumber=7228))
  4   ((objectClass=shadowAccount)(uid=user1))
  4   ((objectClass=posixAccount)(uid=user9))
  4   ((objectClass=posixAccount)(uid=user10))
  4   ((objectClass=posixAccount)(uid=user11))
  3   ((objectClass=posixAccount)(uid=user12))
  3   ((objectClass=posixAccount)(uid=user13))
  3   ((objectClass=posixAccount)(uid=user14))
...
and MANY others that has 1 use in this stats.
I think this many queries from mail relay server.
* user1 and etc - users that relayed, like us...@domain.com in rcpt to
field in email at mail-relay.

What can I do to tune nss? Can you point me in a right direction? There's
too many not needed nss requests to ldap (when email recieved and then
relayed somewhere).
Do not know what to look

Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

[O. Hartmann]

On 03/18/11 17:02, Dan Nelson wrote:

In the last episode (Mar 18), O. Hartmann said:

I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
UBUNTU 10.10 server (using openldap 2.4.23).

Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).

  From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.

But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):

Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user 
uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required)


Confidentiality required means that the server is refusing to authenticate
over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your uri lines to ldaps:// or add the line
ssl on) and see if that works.



Well,
I tried several things now and I do not understand this world anymore :-(

For short again: The conceptional setup I use is a working concept 
within all FreeBSD boxes around here autheticating users via our 
OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64).


On the Linux/Ubuntu 10.10 server I tried the following:

ldapsearch:
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: TLS confidentiality required

ldapsearch -xZ:
...listing of the DIT of the LDAP server

looking up an user ID definitely within the DIT: positive response from 
the LDAP server.


I also can obtain passwd/group informations via
getent passwd/group.

I also checked the connection to the LDAPserver with the SSL credetials by

openssl s_client -connect LDAPserver:636 -showcerts

and receive a lot of informations
CONNECTED(0003)
depth=1 /C [...]

verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST [...]
-BEGIN CERTIFICATE-
MIIDljCCAv+gAwIBA [...]
-END CERTIFICATE-
 1 s:/C [...]
i:/C=DE [...]
-BEGIN CERTIFICATE-
MIIDojCC[...]
-END CERTIFICATE-
---
Server certificate
subject=/C [...]
issuer=/C [...]
---
No client certificate CA names sent
---
SSL handshake has read 2175 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES256-SHA
Session-ID: 
2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3

Session-ID-ctx:
Master-Key: X
Key-Arg   : None
TLS session ticket:
 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 
.Hu.O..i

0010 - 37 a5 4f c7 [...]
Start Time: 1300547707
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---


I guess this signals everything is all right with the certificate 
connecting via SSL/TLS.


I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done 
via apt-get/installation of the appropriate tools and facilities (ldap, 
pam_ldap, nss_ldap). I've no idea what's going wrong ...


There is also some kind of weirdness around here. While login in via ssh 
(or better: trying to login via ssh), I received this:


Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string 
from 125.88.109.121
Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from 
XXX.XXX.XXX.XXX port 52686 ssh2
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session 
opened for user root by (uid=0)
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session 
closed for user root


IP 125.88.109.121 is located in China, 125.88.109.121 Server Details
IP address:
125.88.109.121
Server Location:
Guangzhou, Guangdong in China
ISP:
ChinaNet Guangdong Province Network
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

[O. Hartmann]

On 03/18/11 17:02, Dan Nelson wrote:

In the last episode (Mar 18), O. Hartmann said:

I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
UBUNTU 10.10 server (using openldap 2.4.23).

Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).

  From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.

But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):

Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user 
uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required)


Confidentiality required means that the server is refusing to authenticate
over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your uri lines to ldaps:// or add the line
ssl on) and see if that works.



I managed it!

My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the 
follwoing entries, which seems to confuse Linux (but not the FreeBSD 
clients, no matter why):


olcSecurity: simple_bind=256

After reducing this security strenth value down to

olcSecurity: simple_bind=128

everything works fine so far.

At the moment, I have no explanation for this. Either FreeBSD clients 
are always binding with a higher security strength level or ignoring this.


Thanks,

Oliver
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

[O. Hartmann]

Hello.
I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent 
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for 
an UBUNTU 10.10 server (using openldap 2.4.23).


Most of the installation on the Ubuntu server has been successfully done 
(I'm not familiar with Linux, but it seems that things like pam and ldap 
are quite similar to FreeBSD's installation).


From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up 
user is successfully.


But when it comes to a login via sshd, login fails with this error 
(loged on Linux Ubuntu in /var/log/auth.log):


Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as 
user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality 
required)
Mar 18 12:01:25 freyja sshd[26854]: Failed password for testuser from 
192.168.0.128 port 54156 ssh2


I'm able to login from other systems (FreeBSD 9 and 8) via this specific 
 OpenLDAP server.


Does anyone has a glue?

Please set me CC, I'm not subscribing this list.

Thanks in advance and regards,
Oliver

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

[Dan Nelson]

In the last episode (Mar 18), O. Hartmann said:
 I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
 OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
 UBUNTU 10.10 server (using openldap 2.4.23).
 
 Most of the installation on the Ubuntu server has been successfully done
 (I'm not familiar with Linux, but it seems that things like pam and ldap
 are quite similar to FreeBSD's installation).
 
  From the Linux/Ubuntu server, I'm able to get all users and groups via
 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
 user is successfully.
 
 But when it comes to a login via sshd, login fails with this error 
 (loged on Linux Ubuntu in /var/log/auth.log):
 
 Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 
 192.168.0.128 port 40734 ssh2
 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user 
 uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required)

Confidentiality required means that the server is refusing to authenticate
over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your uri lines to ldaps:// or add the line
ssl on) and see if that works.

-- 
Dan Nelson
dnel...@allantgroup.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

[O. Hartmann]

On 03/18/11 17:02, Dan Nelson wrote:

In the last episode (Mar 18), O. Hartmann said:

I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
UBUNTU 10.10 server (using openldap 2.4.23).

Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).

  From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.

But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):

Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user 
uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required)


Confidentiality required means that the server is refusing to authenticate
over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your uri lines to ldaps:// or add the line
ssl on) and see if that works.


Well,

in /etc/ldap.conf there is ssl start_tls and this should do the thing. 
I use nearly exact the same configuration as I do on all the FreeBSD 
boxes connecting to the same OpenLDAP server.


I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get

ldap_start_tls: Connect error (-11)
additional info: (unknown error code)

looking deeper into the debug stuff with

'ldapsaerach -xZZ -h hostIP' I receive at the end

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)


Obviously, my certificate (self signed, openssl verify cacert.pem gives:
OK) isn't found or there is something wrong with it. The certificate is 
located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's 
/etc/ldap.conf there is this line:

tls_cacertfile usr/local/etc/cacerts/cacert.pem

is referring to the certificate.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute

[Valentin Bud]

On Sat, Apr 17, 2010 at 4:13 PM, Alejandro Imass a...@p2ee.org wrote:

 On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud valentin@gmail.com
 wrote:
  Hello community,
 
   I am working these days on implementing a centralized
 [...]

  The problem is that pam_ldap wants the memberUid attribute to contain the
  user's DN and there is
  no option to change this behavior.
 

 Hmmm...

  My question is: what is the argument behind this and do you think it
 should
  stay this way or
  could it be changed?
  In my case I really need pam_ldap to check just for UID not DN of a user
 in
  memberUid attribute.
 

 I think you are a bit confused here, because dn is not an attribute,
 and you must revise RFCs 4510 to 4519,4530 (and others related).

 The DN is the Distinguished Name, which is basically the RDN + the DN
 of the parent node. let's see where should I start

 Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a
 database model that stores entries in a tree fashion (the Directory
 Information Tree or DIT). Each entry (the atomic unit in a DIT) has
 to derive from at least one structural Object Class (or more) and zero
 or more Auxiliary Classes. The structural class has one (or more -
 though it's not very common) MUST attributes, which _usually_ make up
 the entry's RDN (Relative Distinguished Name). So, the RDN is
 _usually_ conformed of the principal MUST attribute of it's primary
 structural class, and _usually_ it defines the entry type[1].

 I say usually because entries commonly derive from several classes,
 not just one, so in reallity you can use _any_ attribute for your RDN,
 as long as you make sure it's unique among siblings (other entries
 that share the same parent). When you position the entry in the DIT
 you conform what is known as the DN, which is the attribute(s) that
 conform the RDN + the DN of the parent node. It is also important to
 note that, and not many people know this, that both the RDN and DN
 could change during the life of an entry, and there is an operational
 attribute called the entryUUID which is sort-of a unique identifier in
 the DIT (RFC4530), and although it's not really meant to be used as a
 day-to-day identifier, may prove useful when integrating LDAP data to
 other data sources such as RDBMS. Oh, and entries can also have
 multiple DNs (Alias Names RFC4512, sect 2.6).

 So, back to your question, the short answer is that to find an entry
 in the DIT you HAVE TO use the dn, althoug the attribuites that
 conform that dn are really up to you. For example, if your entry
 derives from person and posixAccount you could use any of (or both) cn
 and/or uid in the RDN.

 Best,
 Alejandro Imass

 Notes:
 [1] The entry type, of course is what you want it to be, though many
 of your GUI tools will chose the principal atribute of the first
 objectclass to show you the node (they seldomly use the complete dn,
 so you kind-a think of that attribute as the type (organization,
 person, ou, etc.), but that may be missleading)


  I have asked our friend google what does he has to say about this and
 found
  out that
  there is a patch on Debian which can be found here:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541
  that gives the user the possibility to choose if the memberUid attribute
  holds the DN or UID.
  I would really like that feature so I have patched pam_ldap to no success
  and since my C programming
  skills are close to none I am stuck.
 
  Would you people think that the above patch would be useful? Please
 argument
  on this. How
  can I/we make that patch work?
 
  Thank you very much and a great day,
  v
 
 
  --
  network warrior since 2005
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org
 

Hello Alejandro,

 Thank you for your explanation about LDAP. It has been helpful.

 My problem though is WHY (argumented) does pam_ldap want to see the DN of
the entry
which matched the search for the uid attribute in the memberUid attribute of
the group I want to enforce users be a part of so they can login into the
system
using ssh.

 Since memberUid attribute holds the value of posix uid I think is not
pretty correct
to find there a DN relating to the standards.

Thanks once again. A great day,
v


-- 
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute

[Alejandro Imass]

On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud valentin@gmail.com wrote:
 Hello community,

  I am working these days on implementing a centralized
[...]

 The problem is that pam_ldap wants the memberUid attribute to contain the
 user's DN and there is
 no option to change this behavior.


Hmmm...

 My question is: what is the argument behind this and do you think it should
 stay this way or
 could it be changed?
 In my case I really need pam_ldap to check just for UID not DN of a user in
 memberUid attribute.


I think you are a bit confused here, because dn is not an attribute,
and you must revise RFCs 4510 to 4519,4530 (and others related).

The DN is the Distinguished Name, which is basically the RDN + the DN
of the parent node. let's see where should I start

Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a
database model that stores entries in a tree fashion (the Directory
Information Tree or DIT). Each entry (the atomic unit in a DIT) has
to derive from at least one structural Object Class (or more) and zero
or more Auxiliary Classes. The structural class has one (or more -
though it's not very common) MUST attributes, which _usually_ make up
the entry's RDN (Relative Distinguished Name). So, the RDN is
_usually_ conformed of the principal MUST attribute of it's primary
structural class, and _usually_ it defines the entry type[1].

I say usually because entries commonly derive from several classes,
not just one, so in reallity you can use _any_ attribute for your RDN,
as long as you make sure it's unique among siblings (other entries
that share the same parent). When you position the entry in the DIT
you conform what is known as the DN, which is the attribute(s) that
conform the RDN + the DN of the parent node. It is also important to
note that, and not many people know this, that both the RDN and DN
could change during the life of an entry, and there is an operational
attribute called the entryUUID which is sort-of a unique identifier in
the DIT (RFC4530), and although it's not really meant to be used as a
day-to-day identifier, may prove useful when integrating LDAP data to
other data sources such as RDBMS. Oh, and entries can also have
multiple DNs (Alias Names RFC4512, sect 2.6).

So, back to your question, the short answer is that to find an entry
in the DIT you HAVE TO use the dn, althoug the attribuites that
conform that dn are really up to you. For example, if your entry
derives from person and posixAccount you could use any of (or both) cn
and/or uid in the RDN.

Best,
Alejandro Imass

Notes:
[1] The entry type, of course is what you want it to be, though many
of your GUI tools will chose the principal atribute of the first
objectclass to show you the node (they seldomly use the complete dn,
so you kind-a think of that attribute as the type (organization,
person, ou, etc.), but that may be missleading)


 I have asked our friend google what does he has to say about this and found
 out that
 there is a patch on Debian which can be found here:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541
 that gives the user the possibility to choose if the memberUid attribute
 holds the DN or UID.
 I would really like that feature so I have patched pam_ldap to no success
 and since my C programming
 skills are close to none I am stuck.

 Would you people think that the above patch would be useful? Please argument
 on this. How
 can I/we make that patch work?

 Thank you very much and a great day,
 v


 --
 network warrior since 2005
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Requesting community opinion regarding security/pam_ldap groupdn and member_attribute

[Valentin Bud]

Hello community,

 I am working these days on implementing a centralized
authentication/authorization service
for all the FBSD servers I have. I am using OpenLDAP to store the user and
GOsa
(https://oss.gonicus.de/) as a web frontend to administer the directory.

 To enable SSH/console authentication from LDAP I noticed that one can use
security/pam_ldap from ports
and net/nss_ldap so that the name service switch can get groups/passwd info
from LDAP too.

 I have successfully configured OpenLDAP and created a user as follows:

dn: cn=Valentin BUD,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
sn: BUD
givenName: Valentin
uid: mtx
cn: Valentin BUD
homeDirectory: /home/mtx
loginShell: /bin/tcsh
uidNumber: 5001
gidNumber: 5001
gecos: Valentin BUD

and a posixGroup as follows:

dn: cn=ssh,ou=groups,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: ssh
gidNumber: 7000
description: SSH allowed users
memberUid: mtx

I have configured pam_ldap to honor group membership using
pam_groupdn cn=ssh,ou=groups,ou=people,dc=example,dc=com
pam_member_attribute memberUid

The problem is that pam_ldap wants the memberUid attribute to contain the
user's DN and there is
no option to change this behavior.

My question is: what is the argument behind this and do you think it should
stay this way or
could it be changed?
In my case I really need pam_ldap to check just for UID not DN of a user in
memberUid attribute.

I have asked our friend google what does he has to say about this and found
out that
there is a patch on Debian which can be found here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541
that gives the user the possibility to choose if the memberUid attribute
holds the DN or UID.
I would really like that feature so I have patched pam_ldap to no success
and since my C programming
skills are close to none I am stuck.

Would you people think that the above patch would be useful? Please argument
on this. How
can I/we make that patch work?

Thank you very much and a great day,
v


-- 
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

pam_ldap pam_password crypt option doesn't work...?

[Berk Gulenler]

Hi,

I'm trying to authenticate users from OpenLDAP. In LDAP userPassword
fields are crypted. So I'm trying to use pam_password crypt option in
ldap.conf.
But in LDAP log the the password data from pam_ldap module always is in
clear text. What could be wrong?  Thanks in advance.

ldap.conf

host *host*
base ou=people,dc=boun.edu.tr,o=BU
ldap_version 3
binddn cn=root,o=BU
bindpw *password*
port 389
timelimit 30
bind_timelimit 30
pam_login_attribute uid
pam_password crypt

Service conf file

authrequired/usr/local/lib/pam_ldap.so  try_first_pass

I also tryed use_mapped_pass option, but it didn't worked.

LDAP log

ldap_read: want=60, got=60
  :  01 03 04 2c 75 69 64 3d  74 65 73 74 2e 74 65 73  
...,uid=test.tes 
  0010:  74 31 2c 6f 75 3d 70 65  6f 70 6c 65 2c 64 63 3d  
t1,ou=people,dc= 
  0020:  62 6f 75 6e 2e 65 64 75  2e 74 72 2c 6f 3d 42 55  
boun.edu.tr,o=BU 
  0030:  80 0a 79 61 67 6c 69 65  6b 6d 65 6b  
..yagliekmek  [clear text password]
ber_get_next: tag 0x30 len 66 contents:

pam_ldap version is 1.8.4

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Invalid credentials errors using pam_ldap on FreeBSD

[Stephen Allen]

Hello,

I'm pretty sure I've done all the necessary steps to be able to ssh to 
my FreeBSD box using pam_ldap, but I'm getting Invalid credentials 
errors whenever I try (I can successfully perform an ldapsearch 
operation though).


Here are snippets from my config:

 [/etc/nsswitch.conf]
 passwd: files ldap

 [/etc/pam.d/sshd]
 authsufficient   /usr/local/lib/pam_ldap.so
 authrequiredpam_unix.so

 [/usr/local/etc/ldap.conf]
 base o=brookes
 uri ldap://ldap.brookes.ac.uk:389/
 scope one

And here is the error:

Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind as 
user uid=p0036343,o=Brookes (Invalid credentials)


Incidentally, the following ldapsearch query _IS_ successful, and 
returns me some details about user 'jsmith'


ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=brookes' -x -W -D 
'uid=me,o=Brookes' uid=jsmith



I'm really stumped on this one... can anyone help please?

Many thanks,
Steve :)
--
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Invalid credentials errors using pam_ldap on FreeBSD

[Per olof Ljungmark]

Quoting Stephen Allen [EMAIL PROTECTED]:


Hello,

I'm pretty sure I've done all the necessary steps to be able to ssh  
to my FreeBSD box using pam_ldap, but I'm getting Invalid  
credentials errors whenever I try (I can successfully perform an  
ldapsearch operation though).


Here are snippets from my config:

 [/etc/nsswitch.conf]
 passwd: files ldap

 [/etc/pam.d/sshd]
 authsufficient   /usr/local/lib/pam_ldap.so
 authrequiredpam_unix.so

 [/usr/local/etc/ldap.conf]
 base o=brookes
 uri ldap://ldap.brookes.ac.uk:389/
 scope one

And here is the error:

Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind  
as user uid=p0036343,o=Brookes (Invalid credentials)


Incidentally, the following ldapsearch query _IS_ successful, and  
returns me some details about user 'jsmith'


ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=brookes' -x -W -D  
'uid=me,o=Brookes' uid=jsmith


Try to increase the log level in nss_ldap.conf, debug = level, and  
check /var/log/debug.log.


man nss_ldap(5).

--per
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Frank Bonnet]

Paul Schmehl wrote:
Please don't top post.  It disrupts the flow of the conversation.  (See 
below for my response.)


--On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet 
[EMAIL PROTECTED] wrote:



Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)



Setting up pam ldap ssh access on a FreeBSD box takes less than five 
minutes *after* installing the correct ports.


1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a 
space-separate list

dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass


That's all that is needed.



That's what I did , I use nss_ldap and pam_ldap since a long time now
on many platforms and that is what do not work



If it doesn't work, fire up wireshark (port) or tcpdump (base) and see 
what the problem is.


at the very last extremity why not ?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Paul Schmehl]

--On Thursday, March 27, 2008 11:17:26 +0100 Frank Bonnet [EMAIL PROTECTED] 
wrote:


Setting up pam ldap ssh access on a FreeBSD box takes less than five
minutes *after* installing the correct ports.

1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a
space-separate list
dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn
try_first_pass

That's all that is needed.



That's what I did , I use nss_ldap and pam_ldap since a long time now
on many platforms and that is what do not work



Time to troubleshoot.  Is the ldap server reachable?  Is your search base 
correct?  Is a firewall blocking you?  Is the ldap server running on a 
non-standard port?


Something is wrong, but if you configured it the same way as I described, then 
the problem lies elsewhere.






If it doesn't work, fire up wireshark (port) or tcpdump (base) and see
what the problem is.


at the very last extremity why not ?



I'm afraid I don't follow you here.

--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Frank Bonnet]

Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)


Brian A. Seklecki wrote:

On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:

Hello Brian

Thanks for the quick answer but I'm still in trouble


Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.

~BAS



we I try to ssh connect to the machine I fall in a loop
like the following

panzer:~ ssh  [EMAIL PROTECTED]
Password:
Old Password:
Password:
Old Password:
Password:

I am SURE the password I type works




Brian A. Seklecki wrote:

The problem is that the PAM libraries provide a shit-fuck-ass-worthless
debug mechanisms.  This only eclipsed by the terribly organized
information on LDAP+NSS+PAM for FreeBSD on the web.

The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
Please put this on the OpenLDAP / PADL Wiki somewhere:

[EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 



# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the sshd service
#

# auth
#auth   requiredpam_nologin.so  no_warn
#auth   sufficient  pam_opie.so no_warn
no_fake_prompts
#auth   requisite   pam_opieaccess.so   no_warn
allow_local
#auth   sufficient  pam_krb5.so no_warn
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so 
authrequiredpam_unix.so no_warn

try_first_pass

# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account required   /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_permit.so
session sufficient  /usr/local/lib/pam_ldap.so no_warn
try_first_pass

# password
#password   sufficient  pam_krb5.so no_warn
try_first_pass
passwordrequiredpam_unix.so no_warn
try_first_pass
#password required  /usr/local/lib/pam_ldap.so no_warn
try_first_pass


Also try:

$ grep -i debug /usr/local/etc/ldap.conf
#debug 1
$ grep -i debug /usr/local/etc/nss_ldap.conf
#debug 1


Higher levels for fun.

~BAS


On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:

Hello

I can't get a working sshd access using pam_ldap and nss_ldap

/etc/nsswitch.conf is OK

but I'm having difficulties to configure pam_ldap for a ssh access
on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
the /etc/pam.d/sshd file but haven't any success (sigh!)

Anyone could helps ?

Thanks a lot !


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Paul Schmehl]

Please don't top post.  It disrupts the flow of the conversation.  (See 
below for my response.)


--On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet 
[EMAIL PROTECTED] wrote:



Hello

After having spent several hours on it I can't have a working
ssh access that use PAM_LDAP on a freebsd 6/7 machine !

I have no problem on a Linux Debian etch box ...

Where are we going if Linux works better than BSD ? :-)



Setting up pam ldap ssh access on a FreeBSD box takes less than five 
minutes *after* installing the correct ports.


1) net/openldap-client
2) security/pam_ldap

Then configure ldap.conf (in /usr/local/etc/) which is quite simple:
host {your ldap server(s) either hostname(s) or ip(s) in a space-separate 
list

dc (your dn)

Then configure /etc/pam.d/sshd thus:
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass


That's all that is needed.

If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what 
the problem is.


You needn't even bother creating local passwords for accounts.  Just create 
the account without one, and with pam/ssh/ldap, they can login and use 
their assigned shell/do whatever you've authorized them to do.


Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Frank Bonnet]

Hello

I can't get a working sshd access using pam_ldap and nss_ldap

/etc/nsswitch.conf is OK

but I'm having difficulties to configure pam_ldap for a ssh access
on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
the /etc/pam.d/sshd file but haven't any success (sigh!)

Anyone could helps ?

Thanks a lot !


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Brian A. Seklecki]

The problem is that the PAM libraries provide a shit-fuck-ass-worthless
debug mechanisms.  This only eclipsed by the terribly organized
information on LDAP+NSS+PAM for FreeBSD on the web.

The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
Please put this on the OpenLDAP / PADL Wiki somewhere:

[EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 


# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the sshd service
#

# auth
#auth   requiredpam_nologin.so  no_warn
#auth   sufficient  pam_opie.so no_warn
no_fake_prompts
#auth   requisite   pam_opieaccess.so   no_warn
allow_local
#auth   sufficient  pam_krb5.so no_warn
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so 
authrequiredpam_unix.so no_warn
try_first_pass

# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account required   /usr/local/lib/pam_ldap.so
ignore_authinfo_unavail ignore_unknown_user
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_permit.so
session sufficient  /usr/local/lib/pam_ldap.so no_warn
try_first_pass

# password
#password   sufficient  pam_krb5.so no_warn
try_first_pass
passwordrequiredpam_unix.so no_warn
try_first_pass
#password required  /usr/local/lib/pam_ldap.so no_warn
try_first_pass


Also try:

$ grep -i debug /usr/local/etc/ldap.conf
#debug 1
$ grep -i debug /usr/local/etc/nss_ldap.conf
#debug 1


Higher levels for fun.

~BAS


On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
 Hello
 
 I can't get a working sshd access using pam_ldap and nss_ldap
 
 /etc/nsswitch.conf is OK
 
 but I'm having difficulties to configure pam_ldap for a ssh access
 on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
 the /etc/pam.d/sshd file but haven't any success (sigh!)
 
 Anyone could helps ?
 
 Thanks a lot !
 
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?

[Brian A. Seklecki]

On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote:
 Hello Brian
 
 Thanks for the quick answer but I'm still in trouble

Turn on the debugging flags in the configuration file for pam_ldap
in /usr/local/etc and watch the console on the system.

~BAS


 we I try to ssh connect to the machine I fall in a loop
 like the following
 
 panzer:~ ssh  [EMAIL PROTECTED]
 Password:
 Old Password:
 Password:
 Old Password:
 Password:
 
 I am SURE the password I type works
 
 
 
 
 Brian A. Seklecki wrote:
  The problem is that the PAM libraries provide a shit-fuck-ass-worthless
  debug mechanisms.  This only eclipsed by the terribly organized
  information on LDAP+NSS+PAM for FreeBSD on the web.
  
  The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo.
  Please put this on the OpenLDAP / PADL Wiki somewhere:
  
  [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd 
  
  
  # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
  #
  # PAM configuration for the sshd service
  #
  
  # auth
  #auth   requiredpam_nologin.so  no_warn
  #auth   sufficient  pam_opie.so no_warn
  no_fake_prompts
  #auth   requisite   pam_opieaccess.so   no_warn
  allow_local
  #auth   sufficient  pam_krb5.so no_warn
  try_first_pass
  #auth   sufficient  pam_ssh.so  no_warn
  try_first_pass
  authsufficient  /usr/local/lib/pam_ldap.so 
  authrequiredpam_unix.so no_warn
  try_first_pass
  
  # account
  #accountrequiredpam_krb5.so
  account requiredpam_login_access.so
  account required   /usr/local/lib/pam_ldap.so
  ignore_authinfo_unavail ignore_unknown_user
  account requiredpam_unix.so
  
  # session
  #sessionoptionalpam_ssh.so
  session requiredpam_permit.so
  session sufficient  /usr/local/lib/pam_ldap.so no_warn
  try_first_pass
  
  # password
  #password   sufficient  pam_krb5.so no_warn
  try_first_pass
  passwordrequiredpam_unix.so no_warn
  try_first_pass
  #password required  /usr/local/lib/pam_ldap.so no_warn
  try_first_pass
  
  
  Also try:
  
  $ grep -i debug /usr/local/etc/ldap.conf
  #debug 1
  $ grep -i debug /usr/local/etc/nss_ldap.conf
  #debug 1
  
  
  Higher levels for fun.
  
  ~BAS
  
  
  On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote:
  Hello
 
  I can't get a working sshd access using pam_ldap and nss_ldap
 
  /etc/nsswitch.conf is OK
 
  but I'm having difficulties to configure pam_ldap for a ssh access
  on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure
  the /etc/pam.d/sshd file but haven't any success (sigh!)
 
  Anyone could helps ?
 
  Thanks a lot !
 
 
  ___
  freebsd-questions@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to [EMAIL PROTECTED]
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Ulrich Spoerlein wrote:

Sorry for the late reply ...

On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote:
  
All right, here I am. nss_ldap.conf and ldap.conf are located in 
/usr/local/etc and are identical (link). I copied all tags I use and deleted 
commented out tags:



Seems ok to me, though I don't claim to be an expert.
  


This method has been recommended by many sites and tutorials, so I guess 
it should be approved ;-)


  

The slapd.conf is this, comments roped:

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# additional schema
include /usr/local/share/examples/samba/LDAP/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel512



loglevel is a bitmask. It you want to have lots of debugging try 255 and
run a tail -f /var/log/debug.log
  


Thanks, I did so and found several usefull messages in the log.

  

sizelimit   unlimited
allow   bind_v2
modulepath  /usr/local/libexec/openldap
moduleload  back_bdb
everse-lookup  off



typo I guess?
  


Sorry, yes, copy-and-paste mistake.

  

NSCD is up and running, my nsswitch.conf looks like this:



Please try without nscd first, it's just another possible source of
problems.
  


Due to a recommendation not to use NSCD with FreeBSD and SAMBA I 
switched that off.


  

group: cache ldap[ unavail=continue notfound=continue ] files
passwd: cache ldap [ unavail=continue notfound=continue ] files
#group_compat: nis
hosts: compat
networks: files
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

And I changed some lines in /etc/pam.d/sshd,login,system,other like this 
*commented out due to system gets stuck forever when enab;ed 
nss_ldap/pam_ldap):



I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to
avoid this unresponsiveness.

# Bind/connect timelimit
bind_timelimit 3

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
bind_policy soft

Also, make NSS work first, then turn to configuring PAM (at least,
that's what I would do)

  


Great!! That did the trick and it is very helpful in saving a lot of 
time and prevented me from loosing more hairs.



Some errors from console:

(At boot time)
Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: 
could not search LDAP server - Server is unavailable



Expected. slapd want to change its user to ldap:ldap, which it needs to
look up the UID for. Chicken  Egg. That's why I need to use soft
bind+timeout on my (disconnected) laptop here.

  
Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: 
could not search LDAP server - Server is unavailable
Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could 
not search LDAP server - Server is unavailable



That seems broken then. Is slapd running? Can you ldapsearch -Lx -h
localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap
users? Does the output of 'getent group' and 'getent passwd' look
reasonable?
  


Too many switches switched at the same time, so I guess I messed up 
things and couldn't get a clear sight anymore. The point is, without any 
TLS the user authetication works fine for SSHD/LOGIN and SU, even 
password changes via a patched 'passwd' works fine, but when trying 
using TLS/OpenSSL everything gets messed up again, I'll report this at 
the end.


The main reason for blocking access was the ACL misbehaviour. I took the 
example slapd.conf and especially the line describing access to everything


access   to * ...

The line 'by anonymous auth' needs to be changed into 'by anonymous 
read' otherwise LDAP won't let you even access for authetication. I 
found this by watching exhaustive logs ...



  
One point: what is about compile time options of OpenLDAP? Does LDAP forces 
itself using SSL although not configured explicitely in slapd.conf?



No. It is purely optional. You would need certificates before it can
even possibly start working anyways.
  


Yes, but OpenLDAP openldap-server-2.3.38 seems to reject connections via 
TLS when used with self-signed certificacates.
  

nss_ldap-1.257  ===
openldap-client-2.3.38
openldap-server-2.3.38
pam_ldap-1.8.2



My other computer is running with nss_ldap-1.257 and showing no problems
either.

Cheers,
Ulrich Spoerlein
  


Well, thanks a lot for helping.

At this moment OpenLDAP seems to work with the OpenLDAP-Clients (only) 
and for authetication via ssh/login. I tried to install the famous and 
often mentioned 'smbldap-tools' as recommended in many tutorials and I 
followed the setup

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[Ulrich Spoerlein]

Sorry for the late reply ...

On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote:
 All right, here I am. nss_ldap.conf and ldap.conf are located in 
 /usr/local/etc and are identical (link). I copied all tags I use and deleted 
 commented out tags:

Seems ok to me, though I don't claim to be an expert.

 The slapd.conf is this, comments roped:
 
 include /usr/local/etc/openldap/schema/core.schema
 include /usr/local/etc/openldap/schema/cosine.schema
 include /usr/local/etc/openldap/schema/nis.schema
 include /usr/local/etc/openldap/schema/inetorgperson.schema
 # additional schema
 include /usr/local/share/examples/samba/LDAP/samba.schema
 pidfile /var/run/openldap/slapd.pid
 argsfile/var/run/openldap/slapd.args
 logfile /var/log/slapd.log
 loglevel512

loglevel is a bitmask. It you want to have lots of debugging try 255 and
run a tail -f /var/log/debug.log

 sizelimit   unlimited
 allow   bind_v2
 modulepath  /usr/local/libexec/openldap
 moduleload  back_bdb
 everse-lookup  off

typo I guess?

 NSCD is up and running, my nsswitch.conf looks like this:

Please try without nscd first, it's just another possible source of
problems.

 group: cache ldap[ unavail=continue notfound=continue ] files
 passwd: cache ldap [ unavail=continue notfound=continue ] files
 #group_compat: nis
 hosts: compat
 networks: files
 #passwd_compat: nis
 shells: files
 services: compat
 services_compat: nis
 protocols: files
 rpc: files
 
 And I changed some lines in /etc/pam.d/sshd,login,system,other like this 
 *commented out due to system gets stuck forever when enab;ed 
 nss_ldap/pam_ldap):

I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to
avoid this unresponsiveness.

# Bind/connect timelimit
bind_timelimit 3

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
bind_policy soft

Also, make NSS work first, then turn to configuring PAM (at least,
that's what I would do)

 Some errors from console:
 
 (At boot time)
 Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: 
 could not search LDAP server - Server is unavailable

Expected. slapd want to change its user to ldap:ldap, which it needs to
look up the UID for. Chicken  Egg. That's why I need to use soft
bind+timeout on my (disconnected) laptop here.

 Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: 
 could not search LDAP server - Server is unavailable
 Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could 
 not search LDAP server - Server is unavailable

That seems broken then. Is slapd running? Can you ldapsearch -Lx -h
localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap
users? Does the output of 'getent group' and 'getent passwd' look
reasonable?

 One point: what is about compile time options of OpenLDAP? Does LDAP forces 
 itself using SSL although not configured explicitely in slapd.conf?

No. It is purely optional. You would need certificates before it can
even possibly start working anyways.

 nss_ldap-1.257  ===
 openldap-client-2.3.38
 openldap-server-2.3.38
 pam_ldap-1.8.2

My other computer is running with nss_ldap-1.257 and showing no problems
either.

Cheers,
Ulrich Spoerlein
-- 
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Alexandre Biancalana wrote:

On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote:
  

playing with ldapsearch gets results as expected. Doing ldapsearch witch
-D and dn of the admin results in the whole DIT as expected, accessing
the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server
from client via LUMA (tool) is also ok.



Try to change the nss_base_passwd line from:

nss_base_passwd ou=users,dc=office,dc=de?one

to

nss_base_passwd ou=users,dc=office,dc=de?sub
  

Well,
on a test machine, I setup a testenvironment equal or nearly equal to 
that which is not working on a potentially production box. First of all, 
I think there is a misunderstanding in how to setup /etc/nsswitch.conf, 
because most trouble seems to be sourced there. When setting

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

restarting OpenLDAP results in this, but after two minutes or so it 
starts up (the time is inacceptable and it does not change anything 
reverting the order from 'files ldap' to 'ldap files' for passwd and 
group). The great question is: Do I need to have these entries? Neither 
in the nsswitch.conf manpage nor in nss_ldap manpage it's mentioned to 
set 'ldap' as an option, I took this from one of the  many tutorials out 
there.


Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP 
server (sleeping 4 seconds)...
Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP 
server (sleeping 8 seconds)...
Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP 
server (sleeping 16 seconds)...
Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP 
server (sleeping 32 seconds)...
Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server
Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldap:///: Can't contact LDAP server
Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to 
LDAP server ldaps:///: Can't contact LDAP server
Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP 
server (sleeping 64 seconds)...



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Ulrich Spoerlein wrote:

On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote:
  
At this point it seems senseless to try out what's going wrong and I need 
some hints or tipps. I read about others successfully running OpenLDAP on 
FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7.



I do. It's working just fine ...
  


Good to hear, but it doesn't on mine ... :-(
  
P.S. If someone wants me to offer config details and/or log excerpts, please 
contact me.



Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to
ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf.
Some actual error messages would be fine too.
  


All right, here I am. nss_ldap.conf and ldap.conf are located in 
/usr/local/etc and are identical (link). I copied all tags I use and 
deleted commented out tags:


host 192.168.2.210 (or 127.0.0.1 alternatively)
base dc=office,dc=de
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# Specify a minium or maximum UID number allowed
pam_min_uid 1000
pam_max_uid 3
pam_passwordssha
nss_base_passwd ou=users,dc=office,dc=de?one
nss_base_shadow ou=users,dc=office,dc=de?one
nss_base_group  ou=group,dc=office,dc=de?one
pam_filter objectClass=posixAccount

The slapd.conf is this, comments roped:

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# additional schema
include /usr/local/share/examples/samba/LDAP/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel512
sizelimit   unlimited
allow   bind_v2
modulepath  /usr/local/libexec/openldap
moduleload  back_bdb
everse-lookup  off
access  to *
   by self write
   by users read
   by anonymous auth
databasebdb
suffix  dc=office,dc=de
rootdn  cn=admin,dc=office,dc=de
rootpw
directory   /data/openldap-data/nuggad/

index   objectClass eq,pres
index   uid,memberUid   pres,eq,sub
index   ou,cn,mail,surname,givennameeq,pres,sub
index   uidNumber,gidNumber,loginShell  eq,pres
index   nisMapName,nisMapEntry  eq,pres,sub

NSCD is up and running, my nsswitch.conf looks like this:

group: cache ldap[ unavail=continue notfound=continue ] files
passwd: cache ldap [ unavail=continue notfound=continue ] files
#group_compat: nis
hosts: compat
networks: files
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

And I changed some lines in /etc/pam.d/sshd,login,system,other like this 
*commented out due to system gets stuck forever when enab;ed 
nss_ldap/pam_ldap):


system:
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
authsufficient  pam_opie.so no_warn 
no_fake_prompts

authrequisite   pam_opieaccess.so   no_warn allow_local
#auth   sufficient  pam_krb5.so no_warn 
try_first_pass
#auth   sufficient  /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
authsufficient  pam_ssh.so  no_warn 
try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass nullok


# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
#accountsufficient  /usr/local/lib/pam_ldap.so
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_lastlog.so  no_fail

# password
#password   sufficient  pam_krb5.so no_warn 
try_first_pass
#password   sufficient  /usr/local/lib/pam_ldap.so no_warn 
use_authtok
passwordrequiredpam_unix.so no_warn 
try_first_pass


sshd:

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the sshd service
#

# auth
#auth   sufficient  pam_opie.so no_warn 
no_fake_prompts

#auth   requisite   pam_opieaccess.so   no_warn allow_local
#auth   sufficient  pam_krb5.so no_warn 
try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
authsufficient  pam_ssh.so  no_warn 
try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass


# account
account requiredpam_nologin.so
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account sufficient  /usr/local/lib/pam_ldap.so
account

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[Alexandre Biancalana]

On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote:
 Ulrich Spoerlein wrote:
  On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote:
 
  At this point it seems senseless to try out what's going wrong and I need
  some hints or tipps. I read about others successfully running OpenLDAP on
  FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7.

I've this running since 6.x and have just installed this yesterday in
a 7-BETA machine

This that you can try:

 - Do not use nscd (the samba documentation recomend this)
 - Do not the changes in steps, testing betwing each change

What's ldapsearch says ???

Att,
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Alexandre Biancalana wrote:

On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote:
  

Ulrich Spoerlein wrote:


On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote:

  

At this point it seems senseless to try out what's going wrong and I need
some hints or tipps. I read about others successfully running OpenLDAP on
FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7.



I've this running since 6.x and have just installed this yesterday in
a 7-BETA machine

This that you can try:

 - Do not use nscd (the samba documentation recomend this)
 - Do not the changes in steps, testing betwing each change

What's ldapsearch says ???

Att,
  
playing with ldapsearch gets results as expected. Doing ldapsearch witch 
-D and dn of the admin results in the whole DIT as expected, accessing 
the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server 
from client via LUMA (tool) is also ok.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[Alexandre Biancalana]

On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote:
 playing with ldapsearch gets results as expected. Doing ldapsearch witch
 -D and dn of the admin results in the whole DIT as expected, accessing
 the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server
 from client via LUMA (tool) is also ok.

Try to change the nss_base_passwd line from:

nss_base_passwd ou=users,dc=office,dc=de?one

to

nss_base_passwd ou=users,dc=office,dc=de?sub
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Alexandre Biancalana wrote:

On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote:
  

playing with ldapsearch gets results as expected. Doing ldapsearch witch
-D and dn of the admin results in the whole DIT as expected, accessing
the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server
from client via LUMA (tool) is also ok.



Try to change the nss_base_passwd line from:

nss_base_passwd ou=users,dc=office,dc=de?one

to

nss_base_passwd ou=users,dc=office,dc=de?sub
  

... no difference ...


slapd won't start when ldap is first entry in nsswitch.conf and gets not 
searched when last. maybe there is a problem with the nss_ldap library?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[Ulrich Spoerlein]

On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote:
 At this point it seems senseless to try out what's going wrong and I need 
 some hints or tipps. I read about others successfully running OpenLDAP on 
 FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7.

I do. It's working just fine ...

 P.S. If someone wants me to offer config details and/or log excerpts, please 
 contact me.

Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to
ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf.
Some actual error messages would be fine too.

Your should run tcpdump in some window to actuall see what's going on.
It also helps to turn on massive debugging in slapd.conf and tail(1)ing
/var/log/debug.log

I'm running the following versions on 7-CURRENT from 30. September

nss_ldap-1.256
openldap-sasl-client-2.3.38
openldap-server-2.3.38
pam_ldap-1.8.2

Cheers,
Ulrich Spoerlein
-- 
It is better to remain silent and be thought a fool,
than to speak, and remove all doubt.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[Per olof Ljungmark]

O. Hartmann wrote:
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 
7.0-PRE box running, but with no success. Within the last 8 weeks I 
tried nearly EVERY tutorial and there explained setups, but whenever I 
try to authenticate or find an ID for an existing user in the DIT, I 
receive either errors that the client (pam/nss, ssh, id etc.) can not 
connect to the slapd running on the same machine.

snip

We have this config running on 7 since months. I suggest you provide the 
list with more information + log excerpts, then someone might help you out.


--per
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

Per olof Ljungmark wrote:

O. Hartmann wrote:
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 
7.0-PRE box running, but with no success. Within the last 8 weeks I 
tried nearly EVERY tutorial and there explained setups, but whenever I 
try to authenticate or find an ID for an existing user in the DIT, I 
receive either errors that the client (pam/nss, ssh, id etc.) can not 
connect to the slapd running on the same machine.

snip

We have this config running on 7 since months. I suggest you provide the 
list with more information + log excerpts, then someone might help you out.


--per


Well, great, I appreciate your help and by teh way, you're the first one 
 telling he's running FBSD 7 AND OpenLDAP/nss_ldap/pam_ldap.


OpenLDAP is running well on the server, I can access the DIT via some 
tools like LUMA and the OpenLDAP clients from remote machines.


A major problem seems to be the pam_ldap/nss_ldap configuration. Can you 
please tell me how you edited /etc/pam.d/ files and /etc/nsswitch.conf 
properly? At this very moment it seems that I shot myself into the foot 
- the box running the LDAP service does not start OpenLDAP service slapd 
after rebooting, the console is stuck at the message shown when 
'additional ABI's' get started. So, I'm sorry having no logs handy at 
this very moment, I will offer them as soon as possible included with my 
config files, if this will not bother you.


Thanks in advance,
Oliver

--
Planetology and Remote Sensing
FU Berlin
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!

[O. Hartmann]

For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 
7.0-PRE box running, but with no success. Within the last 8 weeks I 
tried nearly EVERY tutorial and there explained setups, but whenever I 
try to authenticate or find an ID for an existing user in the DIT, I 
receive either errors that the client (pam/nss, ssh, id etc.) can not 
connect to the slapd running on the same machine.


Calling ldapsearch from both the localhost running the slapd and from a 
client in the network runs well, I receive a dump of every object 
created in the LDAP tree.


At this point it seems senseless to try out what's going wrong and I 
need some hints or tipps. I read about others successfully running 
OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based 
services on FBSD 7.


In most cases when changing /etc/nsswitch.conf (renaming password/group: 
compat to password/group: files ldap as suggested in most of the 
tutorials) the box gets unusable running the request (eithe looking for 
an user id, starting a xterm, login in as root via console). Everything 
which seems to look for an user ID takes more than a minute to startup 
or dump errors. Even if I try to log in as a user that is only on local 
machine (root and a special user) it seems that fallback to 'files' 
doesn't work properly or the timeout takes thta long.


I'm not a professional in OpenLDAP, but I tried several configs found in 
LinuxWiki on Gentoo or Debian boxes without problems. Even the simplest 
config seems not to work on FreeBSD 7! In many cases ACLs seem to be the 
culprit, but even setting 'access to * by * write' or configuring binddn 
and binddnpw in /usr/local/etc/ldap.conf and nss_ldap.conf as the same 
as the rootdn in slapd.conf doesn't work and results in the same problem.


If anyone willing to help and running ldap services on a FreeBSD 7.0-PRE 
box, he or she is welcome!


Thanks in advance,
Oliver

P.S. If someone wants me to offer config details and/or log excerpts, 
please contact me.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: passwd(1), pam_ldap and old PRs

[Ivan Voras]

Jonathan McKeown wrote:


There are two relevant PRs, one open (bin/71290)and one suspended (bin/59638).
...


You may want to try asking this on current@ and hackers@ lists.



signature.asc
Description: OpenPGP digital signature

passwd(1), pam_ldap and old PRs

[Jonathan McKeown]

I asked this on -hackers@ several weeks ago and the silence was deafening - 
what I have heard referred to as Warnock's Dilemma.

I'm experimenting with OpenLDAP, pam_ldap, and pgina with the PAM plugin on 
Windows clients, for central authentication in a mixed network.

passwd(1) won't allow me to change a password other than local or NIS.

There are two relevant PRs, one open (bin/71290)and one suspended (bin/59638).

Looking at the source, it appears passwd.c has been rewritten (some years 
since) to use the PAM infrastructure for password changes. This goes most of 
the way to addressing bin/59638. However, there is a switch statement at 
lines 112-126 of /usr/src/usr.bin/passwd/passwd.c (on 6.2-RELEASE) which 
prevents it from working except for files and nis, using constants defined in 
pwd.h and commented there as being ``bogus''. bin/71290 includes a patch 
which would fix this (although I do think it would be a shame to lose the 
comment about green men).

Is there any reason other than historical that this PR and patch is being 
ignored and the old behaviour is being preserved? What would be the drawback 
to removing the switch statement as proposed, and allowing passwd(1) to 
change the user's password using PAM, wherever it might be stored?

Jonathan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Issues while authenticating a user over openLDAP using PAM_ldap

[Noah]

running FreeBSD 6.2 Stable

we have openLDAP installed on a server called access1.  Users on access1
appear to not be able to ssh to access1.  The ssh authentication method
uses PAM ldap.  PAM_ldap reports Invalid credentials in /var/log/messages

We have another server called access2 that authenticates to the the ldap
server running on access1.  those users log in via ssh without issue on
access2.

I am trying to track down what is broken.  I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
much appreciated.




Aug  9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as
user cn=Test User,cn=people,dc=blah,dc=blah,dc=com (Invalid credentials)

related rc.conf lines on access1:
slapd_enable=YES
slapd_flags='-h ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/; -f
/usr/local/etc/openldap/slapd.conf'
slapd_sockets=/var/run/openldap/ldapi
sshd_enable=YES
sshd_program=/usr/local/sbin/sshd


access1# cat /etc/pam.d/ldap
# debug
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug
# debug
# PAM configuration for the sshd service debug
# debug

# auth debug

authsufficient  /usr/local/lib/pam_ldap.so  no_warn
try_first_pass debug
authrequiredpam_nologin.so  no_warn debug
authsufficient  pam_opie.so no_warn
no_fake_prompts debug
authrequisite   pam_opieaccess.so   no_warn
allow_local debug
#auth   sufficient  pam_krb5.so no_warn
try_first_pass debug
#auth   sufficient  pam_ssh.so  no_warn
try_first_pass debug
authrequiredpam_unix.so no_warn
try_first_pass debug

# account debug
#accountrequiredpam_krb5.so debug
account requiredpam_login_access.so debug
account requiredpam_unix.so debug

# session debug
#sessionoptionalpam_ssh.so debug
session required/usr/local/lib/pam_mkhomedir.so
#session required/usr/local/lib/pam_mkhomedir.so
skel=/etc/skel/ umask=0077 debug
session requiredpam_permit.so debug

# password debug
#password   sufficient  pam_krb5.so no_warn
try_first_pass debug
passwordrequiredpam_unix.so no_warn
try_first_pass debug


access1
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
checkpassword-pam-0.99 Implementation of checkpassword authentication
program
nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd
p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for
identifying spam
pam_ldap-1.8.2  A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
razor-agents-2.84   A distributed, collaborative, spam detection and
filtering
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
ldapsh-2.00_2,1 Interactive shell used to administer ldap directories
nss_ldap-1.255  RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
p5-perl-ldap-0.34   A Client interface to LDAP servers
pam_ldap-1.8.2  A pam module for authenticating with LDAP
php5-ldap-5.2.3_1   The ldap shared extension for php
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss-3.11.7  Libraries to support development of security-enabled
applic
nss_ldap-1.255  RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
openssl-0.9.8e_1SSL and crypto library
php5-openssl-5.2.3_1 The openssl shared extension for php
py25-openssl-0.6Python interface to the OpenSSL library
[EMAIL PROTECTED] ~]$


access2 files
[EMAIL PROTECTED] ~]$ pkg_info | grep pam
pam_ldap-1.8.2  A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
[EMAIL PROTECTED] ~]$ pkg_info | grep ldap
nss_ldap-1.255  RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
pam_ldap-1.8.2  A pam module for authenticating with LDAP
[EMAIL PROTECTED] ~]$ pkg_info | grep nss
nss_ldap-1.255  RFC 2307 NSS module
openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH
[EMAIL PROTECTED] ~]$



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Issues while authenticating a user over openLDAP using PAM_ldap

[Andy Harrison]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 8/9/07, Noah  wrote:
 running FreeBSD 6.2 Stable

 we have openLDAP installed on a server called access1.  Users on access1
 appear to not be able to ssh to access1.  The ssh authentication method
 uses PAM ldap.  PAM_ldap reports Invalid credentials in /var/log/messages

 We have another server called access2 that authenticates to the the ldap
 server running on access1.  those users log in via ssh without issue on
 access2.

 I am trying to track down what is broken.  I am not even sure how to
 receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
 much appreciated.



What about your nsswitch.conf file?

- --
Andy Harrison
public key: 0x67518262
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf
l+t2S41Im4TNPEoE8HF3jDc=
=aI1r
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Issues while authenticating a user over openLDAP using PAM_ldap [cured]

[Noah]

see below

Andy Harrison wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On 8/9/07, Noah  wrote:

running FreeBSD 6.2 Stable

we have openLDAP installed on a server called access1.  Users on access1
appear to not be able to ssh to access1.  The ssh authentication method
uses PAM ldap.  PAM_ldap reports Invalid credentials in /var/log/messages

We have another server called access2 that authenticates to the the ldap
server running on access1.  those users log in via ssh without issue on
access2.

I am trying to track down what is broken.  I am not even sure how to
receive verbose logging from PAM and/or PAM_ldap.  Any assistance is
much appreciated.




What about your nsswitch.conf file?




thanks Andy - that was it!

I matched the lines of access1's nsswitch.conf to access2's 
nsswitch.conf file


and things are fine!





- --
Andy Harrison
public key: 0x67518262
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org

iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf
l+t2S41Im4TNPEoE8HF3jDc=
=aI1r
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap receives Invalid credentials

[Noah]

Hi,

I am not sure why this happens but out terminal servers, routers, and 
ancillary devices are able to authenticate with our LDAP server.  For 
some reason pam_ldap claims Invalid credentials with the same exact 
user and password.


What could be wrong?  I cant seem to figure out what is wrong with the 
current log messages.  Is there a way to receive verbose messages from 
pam and/or pam_ldap to figure out if it is sending the proper 
authentication information to the LDAP server.


We are on a FreeBSD-6.2 stable machine.

Clues please,

Noah




Aug  1 11:24:11 access1 sshd[6277]: pam_ldap: error trying to bind as 
user cn=Test User,cn=people,dc=bogus,dc=domain,dc=net (Invalid 
credentials)
Aug  1 11:24:11 access1 sshd[6277]: Failed password for invalid user 
tuser from 172.24.241.234 port 49317 ssh2
Aug  1 11:24:14 access1 sshd[6277]: pam_ldap: error trying to bind as 
user cn=Test User,cn=people,dc=bogus,dc=domain,dc=net (Invalid 
credentials)
Aug  1 11:24:14 access1 sshd[6277]: Failed password for invalid user 
tuser from 172.24.241.234 port 49317 ssh2

Aug  1 11:24:14 access1 sshd[6277]: Connection closed by 172.24.241.234


access1# pkg_info | grep pam
checkpassword-pam-0.99 Implementation of checkpassword authentication 
program

nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd
p5-Mail-SpamAssassin-3.1.8_1 A highly efficient mail filter for 
identifying spam

pam_ldap-1.8.2  A pam module for authenticating with LDAP
pam_mkhomedir-0.1   Create HOME with a PAM module on demand
pamtester-0.1.2 A command line pam authentication tester
razor-agents-2.84   A distributed, collaborative, spam detection and 
filtering

access1# pkg_info | grep ldap
ldapsh-2.00_2,1 Interactive shell used to administer ldap directories
nss_ldap-1.255  RFC 2307 NSS module
openldap-client-2.3.37 Open source LDAP client implementation
openldap-server-2.3.37 Open source LDAP server implementation
p5-perl-ldap-0.34   A Client interface to LDAP servers
pam_ldap-1.8.2  A pam module for authenticating with LDAP
php5-ldap-5.2.3_1   The ldap shared extension for php
access1#
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pam_ldap issues

[Eric Masson]

Thierry Lacoste [EMAIL PROTECTED] writes:

Hello,

 I have a very similar setting on 6.1
 Maybe you have an ACL problem (see below).
 What does the following command give?
 ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W

The command asks for an ldap password that I type but, the result is :
ldap_bind: Invalid credentials (49).

I've double checked the password and reinitialized the ldap database,
but no change atm.

-- 
 BC désolé, mais j'ai pas pû m'empecher.
 On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore
 assez.
 -+- RM in http://www.le-gnu.net : En période de manque -+-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pam_ldap issues

[Eric Masson]

Eric Masson [EMAIL PROTECTED] writes:

Follow up to myself, sorry

 The command asks for an ldap password that I type but, the result is :
 ldap_bind: Invalid credentials (49).

 I've double checked the password and reinitialized the ldap database,
 but no change atm.

I've rebuilt all ports, with no success until I created the
/etc/pam.d/ldap file as stated in pam_ldap's pkg-message.

It works fine now, and pam_mkhomedir creates home directory on first
login.

Sorry for the noise.

-- 
 MW Tss... Un cybermaquereau. On aura tout vu !
 JdC Pourquoi pas ? Il doit bien exister des cybermorues.
 -+- in : http://www.le-gnu.net - Les joies du cybersexe -+-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pam_ldap issues

[Thierry Lacoste]

On Wednesday 04 July 2007 09:35, Eric Masson wrote:
 Thierry Lacoste [EMAIL PROTECTED] writes:

 Hello,

  I have a very similar setting on 6.1
  Maybe you have an ACL problem (see below).
  What does the following command give?
  ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W

 The command asks for an ldap password that I type but, the result is :
 ldap_bind: Invalid credentials (49).

 I've double checked the password and reinitialized the ldap database,
 but no change atm.
Simplify your slapd.conf as much as possible.
When the above ldapsearch works throw in changes step by step.
In particular you should probably start with ACLs like these:

access to attrs=userPassword
   by anonymous auth
   by self write
   by * none

access to * by * read

Add loglevel 128 to your slapd.conf to log access control list processing.

BTW what does ldapsearch -x -D cn=Manager, dc=interne, dc=example, dc=org -W
give?

Regards,
Thierry

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap issues

[Eric Masson]

Hello,

I'm trying to setup authentication via a ldap directory on a 6.2-p5 box.
id queries regarding a ldap defined user using root or a local defined
user work fine :

[EMAIL PROTECTED]:~ id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

[EMAIL PROTECTED]:~ id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

testuser can't log on the box (authentication failed). The following
message pops on the console :
Jul  3 19:08:03 box login: pam_ldap: error trying to bind as user 
cn=testuser,ou=people,dc=interne,dc=example,dc=org (Invalid credentials)

Openldap logs an error 49 (see attached file).

It seems that nss works but not pam.

ldap related configuration follows :

/usr/local/etc/ldap.conf
base dc=interne,dc=example,dc=org
uri ldap://127.0.0.1:389/

logdir /var/log/ldap
#debug 256

timeout 5
bind_timeout 5
bind_policy soft

rootbinddn cn=Manager,dc=interne,dc=example,dc=org

nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
/usr/local/etc/ldap.conf

/usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args

modulepath  /usr/local/libexec/openldap
moduleload  back_bdb

access to dn.base=
by self write
by * auth

access to attrs=userPassword
by self write
by * auth

access to attrs=shadowLastChange
by self write
by * auth

access to *
by * read
by anonymous auth

schemacheck on
idletimeout 30
backend bdb
databasebdb

suffix  dc=interne, dc=example, dc=org
rootdn  cn=Manager, dc=interne, dc=example, dc=org

rootpw  password

checkpoint  1024 5
cachesize   1

directory   /var/db/openldap-data

# Indices to maintain
index   objectClass eq
index   cn  pres,sub,eq
index   sn  pres,sub,eq
index   uid pres,sub,eq
index   displayName pres,sub,eq
index   uidNumber   eq
index   gidNumber   eq
index   memberUID   eq
index   sambaSIDeq
index   sambaPrimaryGroupSIDeq
index   sambaDomainName eq
index   default sub
/usr/local/etc/openldap/slapd.conf

/etc/pam.d/system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
authsufficient  pam_opie.so no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
#auth   sufficient  pam_krb5.so no_warn try_first_pass
#auth   sufficient  pam_ssh.so  no_warn try_first_pass
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass
authrequiredpam_unix.so no_warn try_first_pass 
nullok

# account
#accountrequiredpam_krb5.so
account requiredpam_login_access.so
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session requiredpam_lastlog.so  no_fail

# password
#password   sufficient  pam_krb5.so no_warn try_first_pass
passwordrequiredpam_unix.so no_warn try_first_pass
/etc/pam.d/system

/etc/nsswitch.conf
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
/etc/nsswitch.conf

Directory has been initialized with the following ldif file

init.ldif
dn: dc=interne,dc=example,dc=org
dc: interne
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: interne.example.fr
structuralObjectClass: domain

dn: ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit

dn: ou=people,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit

dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org
cn: testuser
sn: Dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
userPassword: testuser
uidNumber: 2000
gidNumber: 2000
gecos: Test User
loginShell: /bin/csh
homeDirectory: /home/test
structuralObjectClass: person

dn: cn=test,ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: test
gidNumber: 2000
memberUid: test
structuralObjectClass: posixGroup
init.ldif

Re: pam_ldap issues

[Thierry Lacoste]

I have a very similar setting on 6.1
Maybe you have an ACL problem (see below).
What does the following command give?
ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W

 /usr/local/etc/ldap.conf
 base dc=interne,dc=example,dc=org
 uri ldap://127.0.0.1:389/

 logdir /var/log/ldap
 #debug 256

 timeout 5
 bind_timeout 5
 bind_policy soft

 rootbinddn cn=Manager,dc=interne,dc=example,dc=org
BTW I think you can remove this one

 nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
 nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
 /usr/local/etc/ldap.conf


 /usr/local/etc/openldap/slapd.conf
 include   /usr/local/etc/openldap/schema/core.schema
 include   /usr/local/etc/openldap/schema/cosine.schema
 include   /usr/local/etc/openldap/schema/inetorgperson.schema
 include   /usr/local/etc/openldap/schema/nis.schema
 include   /usr/local/etc/openldap/schema/samba.schema

 pidfile   /var/run/openldap/slapd.pid
 argsfile  /var/run/openldap/slapd.args

 modulepath/usr/local/libexec/openldap
 moduleloadback_bdb

 access to dn.base=
   by self write
   by * auth

 access to attrs=userPassword
   by self write
   by * auth
Replace this one with
by anonymous auth

 access to attrs=shadowLastChange
   by self write
   by * auth

 access to *
   by * read
   by anonymous auth
I think you sould also remove all the other above lines containing auth.

 schemacheck   on
 idletimeout   30
 backend   bdb
 database  bdb

 suffixdc=interne, dc=example, dc=org
 rootdncn=Manager, dc=interne, dc=example, dc=org

 rootpwpassword

 checkpoint1024 5
 cachesize 1

 directory /var/db/openldap-data

 # Indices to maintain
 index objectClass eq
 index cn  pres,sub,eq
 index sn  pres,sub,eq
 index uid pres,sub,eq
 index displayName pres,sub,eq
 index uidNumber   eq
 index gidNumber   eq
 index memberUID   eq
 index sambaSIDeq
 index sambaPrimaryGroupSIDeq
 index sambaDomainName eq
 index default sub
 /usr/local/etc/openldap/slapd.conf

HTH,
Thierry.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Problems sshing in remotely using pam_ldap

[Jason Lixfeld]

I have a system running 6.1-RELEASE, OpenLDAP 2.3.23, Pam-LDAP 1.80  
and NSS-LDAP 1.249.


I have a user, called testuser configured in LDAP.

I can ssh [EMAIL PROTECTED] and it works no problem.

If I try to ssh into the box from another host, it fails.  What I see  
in the ssh debug during the failure is:


login_get_lastlog: Cannot find account for uid 2000

This error confuses me because uid 2000 exists:

# id 2000
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
# id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)

So I really have no idea what it could be.

I read something back from 2003 saying that something similar  
happened but it was due to incompatible ssh versions, but both  
localhost and the remote host are using v2, so that doesn't seem to  
be the issue.


Any ideas?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

nss_ldap/pam_ldap: problems binding

[martin mccann]

Hi, 

I've been trying to get my ldap authentication working, something I 
have done 
before with little issue, but this time around it is causing real pain. 

Pretty much the same problems Jan HREHO was having back in Febuary - 
http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112066.html

I tried the suggested solution to that - moving the slapd startup 
script 
into /etc/rc.d, but that didn't help, same problem just further up in the 
boot process. 

Another possibility I came across was putting the line 'bind_policy 
soft' 
in /etc/ldap.conf (symlinked to /usr/local/etc/ldap.conf 
 /usr/local/etc/nss_ldap.conf). This seemed to do the job, until I then 
tried to ssh onto localhost using an ldap user account. It failed with 

Apr 19 22:48:10 svr1 sshd[660]: nss_ldap: could not search LDAP server - 
Server is unavailable
Apr 19 22:48:10 svr1 sshd[660]: fatal: login_get_lastlog: Cannot find account 
for uid 2000

Removing the bind_policy from the file then retrying, it worked fine. 

The second solution I tried was to change the slapd.sh file to just 
launch 
the deamon i.e. '/usr/local/libexec/slapd'. This seems to work,  but it is 
very unelegent, and it may have knock on effects I am unaware of at this 
time. I'm more interested in getting the process right to set it up at this 
stage, rather than hacking away to get a working system (I'm working on a 
series of documents). 

I'm doing this on a virgin 6.0 installation, cvsuped with the latest 
ports, 
fresh install of openldap22, pam_ldap and nss_ldap.  

So the question is, is this a common problem, if not then what I am 
doing wrong to create it, if so then is there a more elequent solutions than 
hacking away at the startup script? 

The thread that suggests the bind_policy also mentions 'nss_reconnect_* 
parameters', which certainly sounds like it could be the answer, but I havn't 
been able to google anything about them. 

Cheers, 
Martin 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap nss_ldap

[beckey]

pam_ldap, nss_ldap not found.


--
GANBARE! NIPPON!
Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE PARTNER
http://pr.mail.yahoo.co.jp/ganbare-nippon/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

baffled by pam_ldap

[Benjamin J Doherty]

Friends,
I've been struggling with pam_ldap for three days now and cannot see  
what I am doing wrong.  I'm trying to use OpenLDAP for  
authentication, though I threw nss_ldap in for good measure.  What's  
so baffling to me is that I can add a new user to the directory and  
verify its existence using id but SSH refuses to bind.

Here's an excerpt from my /var/log/auth.log:
May 12 16:46:28 static-host sshd[53253]: Illegal user testuser from  
192.168.1.150
May 12 16:46:28 static-host sshd[53253]: Failed none for illegal user  
testuser from 192.168.1.150 port 53074 ssh2
May 12 16:46:28 static-host sshd[53255]: pam_ldap: error trying to  
bind (Invalid credentials)

The debug log from pam_ldap says this:
ldap_create
ldap_url_parse_ext(ldapi://%2fvar%2frun%2fopenldap%2fldapi/)
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 9
ldap_connect_to_path: Trying /var/run/openldap/ldapi
ldap_connect_timeout: fd: 9 tm: 30 async: 0
ldap_ndelay_on: 9
ldap_ndelay_off: 9
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 59 bytes to sd 9
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ldap_msgfree
ldap_err2string
and the second log created at the same time says:
(identical to the previous log up to ldap_msgfree)
ber_scanf fmt ({iaa}) ber:
ldap_chase_referrals
read1msg:  V2 referral chased, mark request completed, id = 1
new result:  res_errno: 49, res_error: , res_matched: 
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 49, res_error: , res_matched: 
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
I'm guessing that this means that I can bind with my binddn but not  
with the uid=testuser.

Meanwhile, nss_ldap seems to be working correctly, because an id on  
the same user returns:

uid=1003(testuser) gid=0(wheel) groups=0(wheel)
The nss_ldap.conf is symlinked to ldap.conf, which looks like this:
host 127.0.0.1
base dc=swyc,dc=org
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap_version 3
binddn cn=proxyuser,dc=swyc,dc=org
bindpw secret
rootbinddn cn=Manager,dc=swyc,dc=org
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password SSHA
nss_base_passwd ou=People,dc=swyc,dc=org?one
nss_base_group  ou=Group,dc=swyc,dc=org?one
I can run ldapsearch and get the right data back:
ldapsearch -H ldapi://%2fvar%2frun%2fopenldap%2fldapi/ -x -W -D  
cn=proxyuser,dc=swyc,dc=org ((objectClass=posixAccount) 
(uid=testuser))

dn: uid=testuser,ou=People,dc=swyc,dc=org
uid: testuser
cn: test user
homeDirectory: /home/testuser
uidNumber: 1003
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
gidNumber: 0
gecos: test user
shadowLastChange: 12915
sn: testuser
userPassword:: e1NTSEF9clM2c0xnR3dtSW5ybzNNUFUra0N2WFoydFZJUVZ0ZFE=
loginShell: /bin/sh
I'm a complete openldap neophyte, biting off more than I can chew for  
sure.  However, I just know that if I don't get a directory operating  
now, I'll wish I had done it later, especially since my next project  
is to get open-xchange running.  I apologize for pasting a bunch of  
logs into this message, but I've been staring at them all day.  If  
you can tell me what should have caught my attention, that would be  
very helpful!

Cheers,
benjamin doherty
chicago illinois

Re: baffled by pam_ldap

[Lewis Thompson]

On Thu, May 12, 2005 at 05:11:03PM -0500, Benjamin J Doherty wrote:
 I've been struggling with pam_ldap for three days now and cannot see  
 what I am doing wrong.  I'm trying to use OpenLDAP for  
 authentication, though I threw nss_ldap in for good measure.  What's  
 so baffling to me is that I can add a new user to the directory and  
 verify its existence using id but SSH refuses to bind.

I couldn't spot any references to pam.d/sshd anywhere else in your post.  To
allow sshd to authenticate via pam_ldap you need to have the lines:

authsufficient  pam_ldap.so no_warn try_first_pass
account sufficient  pam_ldap.so
passwordsufficient  pam_ldap.so no_warn try_first_pass

I think just the auth line will do but the rest seem helpful too.

To go a little further than that, I have my pam.d/passwd file configured:

passwordsufficient  pam_unix.so no_warn try_first_pass 
nullok
passwordsufficient  pam_ldap.so no_warn use_first_pass

pam.d/system:

authsufficient  pam_ldap.so no_warn try_first_pass
authrequiredpam_unix.so no_warn try_first_pass 
nullok
passwordsufficient  pam_ldap.so no_warn try_first_pass
passwordrequiredpam_unix.so no_warn try_first_pas

You can apply the following patch to /usr/src/usr.bin/passwd/passwd.c to allow
passwd to be used to change passwords via pam_ldap (it also works for pam_unix)
(see http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/71290):

***BEGIN
--- passwd.c.orig   Wed Mar  9 03:20:02 2005
+++ passwd.cWed Mar  9 03:20:29 2005
@@ -120,9 +120,8 @@
pwd-pw_name);
break;
default:
-   /* XXX: Green men ought to be supported via PAM. */
-   errx(1,
- Sorry, `passwd' can only change passwords for local or NIS users.);
+   fprintf(stderr, Changing LDAP password for %s\n,
+   pwd-pw_name);
}

 #define pam_check(func) do { \
***END

To use passwd you will also need to configure your /usr/local/etc/ldap.conf
file by setting:

pam_password exop

and at the server-side set:

password-hash to whatever you want (SMD5 is good!)

in /usr/local/etc/openldap/slapd.conf.

It took me a good deal of time and effort to bring all those things together
and I have them sat in a non-publicly available wiki.  You can find a very good
tutorial which should cover most of this (I think) at
http://books.blurgle.ca/read/book/1 -- unlike other tutorials this one is
dedicated to FreeBSD (and I even got my name in the credits ;).

chsh doesn't work so I came up with this very simple shell script (it's
probably not great and no doubt could be greatly improved):

*** BEGIN
#!/bin/sh

# is shell specified?
if test ! $1; then
echo Usage: $0 newshell
exit 1
fi

# is shell listed in /etc/shells?
grep -w $1 /etc/shells  /dev/null
if test $? -ne 0; then
echo That shell is not listed in /etc/shells.
exit 1
fi

# attempt modify
user=`whoami`
ldapmodify -D uid=$user,ou=People,dc=domain,dc=com -x -W - EOT
dn: uid=$user,ou=People,dc=domain,dc=com
changetype: modify
replace: loginShell
loginShell: $1
EOT
if test $? -eq 0; then
echo Shell changed successfully.
else
echo A problem occurred changing your shell.  Please contact [EMAIL 
PROTECTED] for assistance.
fi
*** END

To use that just place it over /usr/bin/chsh (WARNING!  THIS COULD BE BAD!  :)

I hope that's some help.  Good luck!

-Lewis Thompson.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
-| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x

[Jon Adams]

I tried this one:
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
and it emphatically does not work, and I followed it to the letter I 
think it has something to do with NSS only using SSL/port 636.

so then I tried it with that added still no dice
Help!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x

[Cezar Fistik]

Hello Jon,

Sunday, November 21, 2004, 3:16:27 PM, you wrote:

JA I tried this one:
JA 
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html

JA and it emphatically does not work, and I followed it to the letter I
JA think it has something to do with NSS only using SSL/port 636.

JA so then I tried it with that added still no dice

I followed the above howto word by word too and it didn't work from
the first try. So I made some searches, I think on pamldap or on
openldap mailing lists, don't remember exactly, and found another
explanation on how to set things up. As far as I remember, my problem
was with ldap.conf and nss_ldap.conf files which reside in
/usr/local/etc/. This files must be identical, so you may symlink
them, as I did. After that everything started to work, in my case ssh
through pam_ldap.

Unfortunately, my detailed configs are at work, so if you won't find
anything I'll post them on monday.



-- 
Best regards,
 Cezarmailto:[EMAIL PROTECTED]


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Alsmost have NSS/PAM/LDAP... neew a lil help ( was Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x)

[Jon Adams]

After much banging my head against the desk, I have it kinda working...
I can su - to a user (from root) and get home directory... but... and I 
have tried PLAIN, CRYPT, and SSHA passwords...
I cannot login,  su - (when prompted for password), ssh in...

here is a some of the conf files
east# more /usr/local/etc/pam_ldap/ssh.conf
host 127.0.0.1
port 389
base dc=all,dc=net
ldap_version 3
ssl off
tls_ciphers HIGH:MEDIUM:+SSLv2:RSA
tls_checkpeer no
pam_login_attribute uid
east# cat /etc/pam.d/sshd
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the sshd service
#
# auth
authsufficient  /usr/local/lib/pam_ldap.so  no_warn 
try_first_pass config=/usr/local/etc/pam_ldap/ssh.conf
authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn 
no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
#auth   sufficient  pam_krb5.so no_warn 
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn 
try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass

# account
#accountrequiredpam_krb5.so
account sufficient  /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
account requiredpam_login_access.so
account requiredpam_unix.so

# session
#sessionoptionalpam_ssh.so
session sufficient  /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
session requiredpam_permit.so

# password
#password   sufficient  pam_krb5.so no_warn 
try_first_pass
passwordsufficient  /usr/local/lib/pam_ldap.so 
config=/usr/local/etc/pam_ldap/ssh.conf
passwordrequiredpam_unix.so no_warn 
try_first_pass

east# more /usr/local/etc/ldap.conf
rootbinddb cn=Manager,dc=all,dc=net
uri ldaps://69.17.104.19:636/
binddn cn=Manager,dc=all,dc=net
ssl yes
bindpw 
port 636
nss_base_passwd ou=People,dc=all,dc=net?one
nss_base_group  ou=Groups,dc=all,dc=net?one
pam_password SSHA
 uname -a
FreeBSD east 5.1-RELEASE FreeBSD 5.1-RELEASE #3: Tue Nov  9 22:43:42 GMT 
2004 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/ORACLE  i386
(I put in the oracle required changes and some TCP/IP related stuff)

 ./slapd -VV
@(#) $OpenLDAP: slapd 2.2.18 (Nov 21 2004 02:33:07) $
   
[EMAIL PROTECTED]:/usr/ports/net/openldap22-sasl-server/work/openldap-2.2.18/servers/slapd

 sshd -v
sshd version OpenSSH_3.6.1p1 FreeBSD-20030423
strings on slappasswd show the following are compiled in::
{SSHA}
{CRYPT}
{SHA}
{MD5}
{LANMAN}
{SASL}
{UNIX}
{CLEARTEXT}




Jon Adams wrote:
I tried this one:
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html 

and it emphatically does not work, and I followed it to the letter 
I think it has something to do with NSS only using SSL/port 636.

so then I tried it with that added still no dice
Help!

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x

[Jon Adams]

Cezar Fistik wrote:
Hello Jon,
Sunday, November 21, 2004, 3:16:27 PM, you wrote:
JA I tried this one:
JA 
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
JA and it emphatically does not work, and I followed it to the letter I
JA think it has something to do with NSS only using SSL/port 636.
JA so then I tried it with that added still no dice
I followed the above howto word by word too and it didn't work from
the first try. So I made some searches, I think on pamldap or on
openldap mailing lists, don't remember exactly, and found another
explanation on how to set things up. As far as I remember, my problem
was with ldap.conf and nss_ldap.conf files which reside in
/usr/local/etc/. This files must be identical, so you may symlink
them, as I did. After that everything started to work, in my case ssh
through pam_ldap.
 

I found this to be the case also  I didnt think to symlink them 
though (Doh)

Unfortunately, my detailed configs are at work, so if you won't find
anything I'll post them on monday.
 

would greatly appreciate it  I cant get ssh logins (or any others) 
to work... really frustrating...

Thanks...
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

account management pam_ldap+nss_ldap

[Cezar Fistik]

Hello all,

I would greatly appreciate if someone could help me or point me to the right 
place to find a solution to the following problem. I have a system 
(5.3-release) configured to do user authentication through pam and ldap using 
map_ldap.so and nss_ldap.so. Everything is fine with that configuration, I am 
able to login, ssh and ftp to the system using users configured only in ldap 
with no problem.

What I'm looking for is a way to manage these accounts, I mean to temporarily 
disable (locking) an account or a group of accounts, like pw lock username, 
set accounts expiration date and so on. I spent the last 2 days searching but 
found nothing, or maybe I was looking in wrong places?
Please if someone did things like described above, help me. Actually, I'm most 
interested in disabling/enabling an ldap account/group without deleting it.

I was trying to find a solution myself and have thought of following. To create 
an ldap schema file which will have an objectclass with the accountEnabled 
attribute (and maybe some others too). To include this objectclass for DNs 
containing users and somehow to create a filter in nss_ldap config file wich 
will do the filtering taking into account the accountEnabled flag. What do you 
think of this approach? I would appreciate any suggestions.

Thanks, 
Cezar Fistik 


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pam_ldap authentication based on pam_groupdn

[Jason Lixfeld]

Hi.
Anyone have any insight on this?
On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote:
I'm wondering if someone can point out my error here.  I've got PAM 
authenticating ssh users like so:

authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so 
no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   
no_warn allow_local
authsufficient  /usr/local/lib/pam_ldap.so  
config=/usr/local/etc/openldap/ldap-ssh.conf debug  try_first_pass
authrequiredpam_unix.so 
no_warn try_first_pass
account requiredpam_login_access.so
account sufficient  /usr/local/lib/pam_ldap.so  debug
account requiredpam_unix.so
session requiredpam_permit.so
passwordsufficient  /usr/local/lib/pam_ldap.so  debug
passwordrequiredpam_unix.so 
no_warn try_first_pass

bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group  ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group ssh. 
 As per this ldap entry below, this user should be the only one 
permitted to ssh in:

dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca
This isn't working.  This user, and any other user can ssh in, even 
without being a member of the ssh group.  The check doesn't seem to be 
working and I'm not sure what I'm doing wrong.

I have an nss_ldap.conf which pam queries also, but will a config 
explicitly configured as I have done above override the the 
nss_ldap.conf?

Any ideas?
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap authentication based on pam_groupdn

[Jason Lixfeld]

I'm wondering if someone can point out my error here.  I've got PAM 
authenticating ssh users like so:

authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn 
no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn 
allow_local
authsufficient  /usr/local/lib/pam_ldap.so  
config=/usr/local/etc/openldap/ldap-ssh.conf debug  try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass
account requiredpam_login_access.so
account sufficient  /usr/local/lib/pam_ldap.so  debug
account requiredpam_unix.so
session requiredpam_permit.so
passwordsufficient  /usr/local/lib/pam_ldap.so  debug
passwordrequiredpam_unix.so no_warn 
try_first_pass

bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf
host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=proxyuser,dc=example,dc=com
scope one
#pam_filter objectclass=posixaccount
#pam_login_attribute uid
pam_groupdn cn=ssh,ou=groups,dc=example,dc=com
pam_member_attribute memberuid
pam_password SSHA
nss_base_passwd ou=users,dc=example,dc=com?one
nss_base_shadow ou=users,dc=example,dc=com?one
nss_base_group  ou=groups,dc=example,dc=com?one
So I'm trying to permit users who are only members of the group ssh.  
As per this ldap entry below, this user should be the only one 
permitted to ssh in:

dn: cn=ssh,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ssh
gidNumber: 10009
memberUid: testuser.discord.ca
This isn't working.  This user, and any other user can ssh in, even 
without being a member of the ssh group.  The check doesn't seem to be 
working and I'm not sure what I'm doing wrong.

I have an nss_ldap.conf which pam queries also, but will a config 
explicitly configured as I have done above override the the 
nss_ldap.conf?

Any ideas?
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Pam_ldap

[Dick Davies]

* Bret Walker [EMAIL PROTECTED] [1028 00:28]:
 I've been trying all day to get pam_ldap to authenticate an ssh session
 against Active Directory.  I thought that I had found the perfect HOWTO
 (read: one that didn't require nss_ldap), but its instructions didn't seem
 to get it working on my system.
 
 I've read that can authenticate to AD with pam_ldap alone, and I've read
 that you can't, as well.  Does anyone have any experience doing this w/o
 nss_ldap.  I'm running 4.10, and I don't think it has support for
 nss_ldap.
 
 If anyone has any advice, I'd love to hear it.

You're not going to need nss_ldap if you just want to validate a password.
But it sounds a bit odd to have existing users in /etc/passwd and only have
the password itself from AD - and if the users don't exist in /etc/passwd
the system won't be able to log them in.

What was the howto you used?


-- 
I think it is true for all _n. I was just playing it safe with _n = 3
because I couldn't remember the proof.
-- Baker, Pure Math 351a
Rasputin :: Jack of All Trades - Master of Nuns
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Pam_ldap

[Dick Davies]

Right, basically this is doing what I thought - just checking passwords
in AD without looking up user info, so the accounts need to exist on the bsd server
(that may become a real pain in the arse, by the way).

couple of quick checks;

1) the ldap.conf referred to should  be /usr/local/etc/ldap.conf *NOT* 
/etc/openldap/ldap.conf

2) can you log onto the console as these users? If you're sshing you may need
to edit /etc/pam.d/sshd, and not login.


3) what's in your logs? If you have the 'debug' flag on, something will be getting
written to - check /var/log/secure and /var/log/messages


* Bret Walker [EMAIL PROTECTED] [1043 13:43]:
 It is here: http://www.netsys.com/pamldap/2002/04/msg00074.html
 
 Thanks,
 Bret
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dick Davies
 Sent: Friday, October 01, 2004 4:31 AM
 To: Bret Walker
 Cc: FreeBSD Questions
 Subject: Re: Pam_ldap
 
 
 * Bret Walker [EMAIL PROTECTED] [1028 00:28]:
  I've been trying all day to get pam_ldap to authenticate an ssh 
  session against Active Directory.  I thought that I had found the 
  perfect HOWTO
  (read: one that didn't require nss_ldap), but its instructions didn't
 seem
  to get it working on my system.
  
  I've read that can authenticate to AD with pam_ldap alone, and I've 
  read that you can't, as well.  Does anyone have any experience doing 
  this w/o nss_ldap.  I'm running 4.10, and I don't think it has support 
  for nss_ldap.
  
  If anyone has any advice, I'd love to hear it.
 
 You're not going to need nss_ldap if you just want to validate a password.
 But it sounds a bit odd to have existing users in /etc/passwd and only
 have the password itself from AD - and if the users don't exist in
 /etc/passwd the system won't be able to log them in.
 
 What was the howto you used?

-- 
Yeah, life is hilariously cruel. - Bender
Rasputin :: Jack of All Trades - Master of Nuns
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Pam_ldap

[Dick Davies]

* Bret Walker [EMAIL PROTECTED] [1023 15:23]:
 I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf


The one in /etc isn't doing anything, so get rid of it.

The  /usr/local/etc/ldap.conf should be holding the ad stuff 
(what user to bind as , etc).

 I am able to log into the console as these users using the local password,
 but not using the ldap password.  All of my pam info is in /etc/pam.conf,
 I don't have /etc/pam.d.

Then you're on 4.X right? Shouldn't stop this working.

 
 sshd  authsufficient  pam_skey.so
 sshd  authsufficient  pam_opie.so no_fake_prompts
 sshd  authsufficient  pam_unix.so try_first_pass
 sshd  authsufficient  /usr/local/lib/pam_ldap.so
 try_first_pass debug
 sshd  account requiredpam_unix.so
 sshd  passwordrequiredpam_permit.so
 sshd  session requiredpam_permit.co
 
 
 All I see in the logs are messages saying:
 error: PAM: User not known to the underlying authentication module

Right, so sshd is using pam. That's something.

The error could mean several things, one of which is that the user doesn't exist.

If you look through your ldap.conf, you  should have enough info to pretend to be
PAM.

use ldapsearch and try 

ldapsearch -H ldap://host from ldap.conf -D binddn from ldap.conf -W \
  pam_login_attribute from ldap.conf=username

and enter the bindpw from ldap.conf

If you don't get the AD account  back, then your ldap.conf is screwed.

 I'm pretty sure the ldap.conf files are correct, because I've followed the
 instructions from several places to the T.

The nice thing about definitive LDAP howtos is there are so many to choose from :) 

-- 
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender
Rasputin :: Jack of All Trades - Master of Nuns
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Pam_ldap

[Bret Walker]

The query you gave me worked.  I was able to see real name, home dir, ect.
I'm assuming since I can get that info, that I should be able to verify a
password too.

In my /usr/local/etc/ldap.conf file, I had binddb not bingdn.  Upon
changing this, I now get a different pam error.

It says:
error: PAM: Authentication failure

One step closer..



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dick Davies
Sent: Friday, October 01, 2004 9:41 AM
To: Bret Walker
Cc: FreeBSD Questions
Subject: Re: Pam_ldap


* Bret Walker [EMAIL PROTECTED] [1023 15:23]:
 I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf


The one in /etc isn't doing anything, so get rid of it.

The  /usr/local/etc/ldap.conf should be holding the ad stuff
(what user to bind as , etc).

 I am able to log into the console as these users using the local
 password, but not using the ldap password.  All of my pam info is in
 /etc/pam.conf, I don't have /etc/pam.d.

Then you're on 4.X right? Shouldn't stop this working.


 sshd  authsufficient  pam_skey.so
 sshd  authsufficient  pam_opie.so no_fake_prompts
 sshd  authsufficient  pam_unix.so try_first_pass
 sshd  authsufficient  /usr/local/lib/pam_ldap.so
 try_first_pass debug
 sshd  account requiredpam_unix.so
 sshd  passwordrequiredpam_permit.so
 sshd  session requiredpam_permit.co


 All I see in the logs are messages saying:
 error: PAM: User not known to the underlying authentication module

Right, so sshd is using pam. That's something.

The error could mean several things, one of which is that the user doesn't
exist.

If you look through your ldap.conf, you  should have enough info to
pretend to be PAM.

use ldapsearch and try

ldapsearch -H ldap://host from ldap.conf -D binddn from ldap.conf
-W \
  pam_login_attribute from ldap.conf=username

and enter the bindpw from ldap.conf

If you don't get the AD account  back, then your ldap.conf is screwed.

 I'm pretty sure the ldap.conf files are correct, because I've followed
 the instructions from several places to the T.

The nice thing about definitive LDAP howtos is there are so many to
choose from :)

--
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]


smime.p7s
Description: S/MIME cryptographic signature

Pam_ldap

[Bret Walker]

I've been trying all day to get pam_ldap to authenticate an ssh session
against Active Directory.  I thought that I had found the perfect HOWTO
(read: one that didn't require nss_ldap), but its instructions didn't seem
to get it working on my system.

I've read that can authenticate to AD with pam_ldap alone, and I've read
that you can't, as well.  Does anyone have any experience doing this w/o
nss_ldap.  I'm running 4.10, and I don't think it has support for
nss_ldap.

If anyone has any advice, I'd love to hear it.

Thanks,
Bret

PS - The instructions I followed are here:
http://www.netsys.com/pamldap/2002/04/msg00074.html





Bret Walker
Technical Support Consultant
Medill School of Journalism
Northwestern University
847-467-7845
847-491-2370 fax
[EMAIL PROTECTED]


smime.p7s
Description: S/MIME cryptographic signature

Setting up pam_ldap nss_ldap

[Curtis Vaughan]

On 5.3-Beta I have installed pam_ldap and nss_ldap.
Then I edited the following files:
/usr/local/etc/ldap.conf
/etc/nsswitch.conf
files within /etc/pam.d
particularly /etc/pam.d/ldap and ./sshd and ./su
 /usr/local/etc/nss_ldap.conf
I think that's it.  I can provide each of those files if necessary. 
Nonetheless authentication for users not local to this system is not 
occurring (which would normally occur for me under Linux).  I have 
tried authenticating the following ways: 1) through ssh; 2) through su. 
 I have noticed, however, that the way I do this under Linux is not the 
same as for FreeBSD.  So, it's quite possible that I have left 
something out.  Anyhow, I would appreciate any input into what needs to 
be configured to get this to work.

Thanks!
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Setting up pam_ldap nss_ldap

[Joerg Pulz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 2 Sep 2004, Curtis Vaughan wrote:
On 5.3-Beta I have installed pam_ldap and nss_ldap.
Then I edited the following files:
/usr/local/etc/ldap.conf
/etc/nsswitch.conf
files within /etc/pam.d
particularly /etc/pam.d/ldap and ./sshd and ./su
/usr/local/etc/nss_ldap.conf
I think that's it.  I can provide each of those files if necessary. 
Nonetheless authentication for users not local to this system is not 
occurring (which would normally occur for me under Linux).  I have tried 
authenticating the following ways: 1) through ssh; 2) through su.  I have 
noticed, however, that the way I do this under Linux is not the same as for 
FreeBSD.  So, it's quite possible that I have left something out.  Anyhow, I 
would appreciate any input into what needs to be configured to get this to 
work.
i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP 
accounts via nss_ldap and pam_ldap.
it works perfectly.

/etc/nsswitch.conf
- ---
passwd: files [NOTFOUND=continue] ldap
group: files [NOTFOUND=continue] ldap
shells: files
hosts: files dns
- ---
/etc/pam.d/sshd
- ---
# auth
auth   required   pam_nologin.so no_warn
auth   sufficient pam_opie.sono_warn no_fake_prompts
auth   requisite  pam_opieaccess.so  no_warn allow_local
#auth  sufficient pam_krb5.sono_warn try_first_pass
#auth  sufficient pam_ssh.so no_warn try_first_pass
auth   sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug
auth   required   pam_unix.sono_warn try_first_pass
# account
#account required   pam_krb5.so
account  required   pam_login_access.so
account  sufficient /usr/local/lib/pam_ldap.so
account  required   pam_unix.so
# session
#session optional   pam_ssh.so
session  required   pam_permit.so
# password
#password sufficient pam_krb5.sono_warn try_first_pass
password  sufficient /usr/local/lib/pam_ldap.so use_authok
password  required   pam_unix.sono_warn try_first_pass
- ---
/usr/local/etc/nss_ldap.conf (without TLS stuff)
- ---
host ldap1.example.com ldap2.example.com
base dc=example,dc=com
ldap_version 3
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password clear
pam_password exop
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_group  ou=Group,dc=example,dc=com?one
# debug testing
#logdir /var/log
#debug 9
- ---
i use the same configuration for pam_ldap and nss_ldap, so create a 
symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or 
make an exact copy. all other entries in nss_ldap are commented out for 
me.
Don't forget to change dc=example,dc=com and ldap1.example.com 
ldap2.example.com to your values.

there is no need for a .secret file for pam_ldap or nss_ldap.
to be clear, if you set a rootbinddn or binddn which has the right to read 
the userPassword attribute, a getpwent(3) call would return all password 
hashes which is surely not what you want. the better way is to let 
nss_ldap only return the account information without the password and let 
pam_ldap try to bind as the users dn with the submitted password.

another point is, that the whole pam_ldap stuff can be skipped if you use 
a binddn or rootbinddn with nss_ldap and this dn is allowed to read the 
userPassword attribute as the password is available to pam_unix and makes 
authentication possible. but remember the risk that someone is able to use 
getpwent(3) to get all password hashes that are stored in LDAP.

if it's still not working for you, uncomment the logdir and debug line 
in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a 
new login you will find a file ldap.PID in the directory specified as 
logdir. the whole LDAP lookup and LDAP bind phase is written to this 
file so one can analyze whats working or not.

feel free to ask again if you still have problems.
regards
Joerg
- -- 
The beginning is the most important part of the work.
-Plato
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq
EA/iC/hSxEjtrBwnaBoIXAU=
=GlqU
-END PGP SIGNATURE-
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap instructions

[Robert Fitzpatrick]

I just installed the pam_ldap port and receive the following
instructions at the end of the install, I have 5.2-RELEASE and not sure
which instruction to follow regarding enabling login:

Copy /usr/local/etc/ldap.conf.dist to /usr/local/etc/ldap.conf, then
edit /usr/local/etc/ldap.conf in order to use this module.  Add a line
similar to the following to /etc/pam.conf on -STABLE, or create an
/etc/pam.d/ldap on -CURRENT with a line similar to the following:

login   authsufficient  /usr/local/lib/pam_ldap.so

-- 
Robert

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: pam_ldap instructions

[Joe Marcus Clarke]

On Fri, 2004-01-23 at 21:08, Robert Fitzpatrick wrote:
 I just installed the pam_ldap port and receive the following
 instructions at the end of the install, I have 5.2-RELEASE and not sure
 which instruction to follow regarding enabling login:
 
 Copy /usr/local/etc/ldap.conf.dist to /usr/local/etc/ldap.conf, then
 edit /usr/local/etc/ldap.conf in order to use this module.  Add a line
 similar to the following to /etc/pam.conf on -STABLE, or create an
 /etc/pam.d/ldap on -CURRENT with a line similar to the following:
 
 login   authsufficient  /usr/local/lib/pam_ldap.so

Perhaps I need to rephrase that.  You need to follow the -CURRENT
instructions.  That is, create an /etc/pam.d/ldap file with the contents
above.

Joe

-- 
PGP Key : http://www.marcuscom.com/pgp.asc


signature.asc
Description: This is a digitally signed message part

Re: problems with pam_ldap - ssh and file attributes

[Uwe Laverenz]

Dan Nelson wrote:

/bin/ls is linked statically, which means it only knows about compat,
files, nis, and dns; you can build a dynamic one, or step up and write
Ahh, thank you for this explanation. :-)

There are other strange things with -CURRENT and LDAP-setup: I have 
jdk13 running on the machine (Hotspot enabled) and any User from the 
LDAP-directory could start java only once, all further attempts fail. 
For local users there is no such problem.

cu,
Uwe
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: problems with pam_ldap - ssh and file attributes

[mkes]

Since nobody responded I will do it myself :-).

Further investigation shown that the problem with connecting via ssh was only with the 
Putty client.
Normal command line ssh from another unix host worked fine. The Google search found 
one message targeting this problem.
The solution is to use ssh2 protocol instead of ssh1. I have experienced crashes of 
Putty v. 0.52 when using ssh2 but after upgrading to version 0.53b
 everything works fine.

Nevertheless the problem with file attributes persists.

Mira
 Original message follows 

Hi,

I just suceeded to install and configure pam_ldap authentication on my
5.1Release box. Everything seems to work fine (ftp, telnet, samba, ...)
except for ssh.
Any attempt to login (as user whose account is defined in the LDAP
directory) from a remote host using ssh end up with the  error message:
Access denied. For users registered in /etc/passwd the ssh works fine.
There is no problem when login via telnet, ftp works fine as well but
the ssh doesn't.

The /etc/pam.d/sshd looks like:

# auth
authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn
no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
authsufficient  pam_ldap.so debug try_first_pass
authrequiredpam_unix.so no_warn
try_first_pass

# account
account requiredpam_login_access.so
account sufficient  pam_ldap.so debug
account requiredpam_unix.so

# session
session requiredpam_permit.so

# password
passwordsufficient  pam_ldap.so debug
passwordrequiredpam_unix.so no_warn
try_first_pass

--

Another problem is that commands like ls displays uid and gid as numbers
for files owned by LDAP users. On the other hand ftp displays them
correctly.

Any ideas how to fix that (especially in case of ssh) would be really
helpfull.

Thanks

Mira


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

CVS pserver and pam_ldap

[mkes]

Hi,

I have problem to make cvs server (version 1.11.5 - the one which gets
installed as a part of 5.1 R) to authenticate users via pam_ldap.
Is there anybody who successfully runs this combination or at least knows
whether the cvs supports PAM authentication?

Any help would be really appreciated !

Mira


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: problems with pam_ldap - ssh and file attributes

[Uwe Laverenz]

[EMAIL PROTECTED] wrote:

Nevertheless the problem with file attributes persists.
I have the same problem here. I guess that 'ls' doesn't care about 
nsswitch?!

cu,
Uwe
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: problems with pam_ldap - ssh and file attributes

[Dan Nelson]

In the last episode (Oct 08), Uwe Laverenz said:
 [EMAIL PROTECTED] wrote:
 Nevertheless the problem with file attributes persists.
 
 I have the same problem here. I guess that 'ls' doesn't care about
 nsswitch?!

/bin/ls is linked statically, which means it only knows about compat,
files, nis, and dns; you can build a dynamic one, or step up and write
an nscd daemon that static binaries can connect to for nss lookups :)

-- 
Dan Nelson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

problems with pam_ldap - ssh and file attributes

[Miroslav Kes]

Hi,

I just suceeded to install and configure pam_ldap authentication on my 
5.1Release box. Everything seems to work fine (ftp, telnet, samba, ...) 
except for ssh.
Any attempt to login (as user whose account is defined in the LDAP 
directory) from a remote host using ssh end up with the  error message: 
Access denied. For users registered in /etc/passwd the ssh works fine. 
There is no problem when login via telnet, ftp works fine as well but 
the ssh doesn't.

The /etc/pam.d/sshd looks like:

# auth
authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn 
no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
authsufficient  pam_ldap.so debug try_first_pass
authrequiredpam_unix.so no_warn 
try_first_pass

# account
account requiredpam_login_access.so
account sufficient  pam_ldap.so debug
account requiredpam_unix.so
# session
session requiredpam_permit.so
# password
passwordsufficient  pam_ldap.so debug
passwordrequiredpam_unix.so no_warn 
try_first_pass

--

Another problem is that commands like ls displays uid and gid as numbers 
for files owned by LDAP users. On the other hand ftp displays them 
correctly.

Any ideas how to fix that (especially in case of ssh) would be really 
helpfull.

Thanks

Mira

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

pam_ldap error

[Alex]

Beste freebsd-questions,

My aim is to setup a samba PDC and BDC server for a windows network
and integrate the password database. So that any change will also
reflect the other OS. To avoid changing the password two times, or
adding a user twice. And now i got an error from the pam_ldap module
telling me it cannot bind as a user that does exist. Any idea what i
did wrong?

I have done this according to the how-to:
http://samba.idealx.org/dist/samba-ldap-howto.pdf. I'm not at chapter
5 and am stuck.

I have installed OpenLDAP 2.0 and pam_ldap. Have setup the database as
follow:

dc=domain,dc=org
|
`--- ou=Users
|
`--- ou=Computers
|
`--- ou=Groups

I have modified /etc/pam.conf for login only first:
login   authsufficient  pam_skey.so
login   authrequisite   pam_cleartext_pass_ok.so
#login  authsufficient  pam_kerberosIV.so   try_first_pass
login   authsufficient  pam_ldap.so try_first_pass
login   authsufficient  pam_unix.so try_first_pass
login   authrequiredpam_deny.so

login   account sufficient  pam_ldap.so
login   account sufficient  pam_unix.so
login   account requiredpam_deny.so

login   password required   pam_permit.so
login   session requiredpam_permit.so

And modified /usr/local/etc/ldap.conf =
/usr/local/etc/openldap/ldap.conf (link, same fs)
# Your LDAP server. Must be resolvable without using LDAP.
URI ldap://127.0.0.1

# The distinguished name of the search base.
base dc=kruij557,dc=speed,dc=planet,dc=nl

ldap_version 2

# we use ?sub (and not the default ?one) because we
# separated sambaAccounts on ou=Computers,dc=IDEALX,dc=org
# and ou=Users,dc=IDEALX,dc=org
nss_base_passwd dc=kruij557,dc=speed,dc=planet,dc=nl?sub
nss_base_shadow dc=kruij557,dc=speed,dc=planet,dc=nl?sub
nss_base_group  ou=Groups,dc=kruij557,dc=speed,dc=planet,dc=nl?one

ssl no
pam_password md5

I have set the default access to the openldap database to write. When
i try to connect as the newly installed user 'test' then i get the
following error: (out over /messages)

Jul 11 20:15:27 Intranet login: pam_ldap: error trying to bind as user
uid=test,ou=Users,dc=domain,dc=com (Invalid credentials)

#slapcat

dn: uid=test,ou=Users,dc=domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
cn: test
uid: test
uidNumber: 1000
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/sh
gecos: System User
description: System User
creatorsName: cn=Manager,dc=domain,dc=com
createTimestamp: 20020711123408Z
modifiersName: cn=Manager,dc=domain,dc=com
modifyTimestamp: 20020711123408Z
userPassword:: e1NTSEF9WFF0OTVJNy9iaklYdHovQjFBNk5oQ3c0Y2tCemlSRWI=


-- 
Met vriendelijke groet,
Alex


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message