[SOLVED] Upgrade to 8.3 broke pam_ldap
Hi, I did it... After upgrading from 7.3 o 8.3 pam_ldap stopped working. LDAP server has been running on a different machine for ages, it is still running. Connection to the server is still there: when I enter a wrong password I get a distinct error message. When I enter the correct password, I get: Sep 11 18:05:00 ufo2 login: pam_acct_mgmt(): error in service module I recompiled openldap_client, pam_ldap and nss_ldap, but not to avail. Stupid mistake, when I upgraded I erased the modified contents of /etc/nss_switch.conf Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Upgrade to 8.3 broke pam_ldap
Hi, After upgrading from 7.3 o 8.3 pam_ldap stopped working. LDAP server has been running on a different machine for ages, it is still running. Connection to the server is still there: when I enter a wrong password I get a distinct error message. When I enter the correct password, I get: Sep 11 18:05:00 ufo2 login: pam_acct_mgmt(): error in service module I recompiled openldap_client, pam_ldap and nss_ldap, but not to avail. Any help is most welcome. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Optimizing pam_ldap and nss_ldap
Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle 4773 ldap18 440 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 Processed /var/log/debug.log: Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches: 714964 Total compares: 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # UsesFilter ----- 615504 ((objectClass=posixAccount)(uid=mailer-daemon)) 90699 ((objectClass=posixGroup)) 6833((objectClass=posixAccount)(uid=root)) 2236((objectClass=posixAccount)(uid=hiddenuser1)) 669 ((objectClass=posixGroup)(memberUid=root)) 318 ((objectClass=posixAccount)(uid=testacc)) 87 ((objectClass=posixGroup)(memberUid=postfix)) 87 ((objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 ((objectClass=posixAccount)(uid=debian-exim)) 68 ((objectClass=posixGroup)(memberUid=Debian-exim)) 39 ((objectClass=posixAccount)(uid=normaluser)) 34 ((objectClass=posixAccount)(uidNumber=7333)) 30 ((objectClass=posixGroup)(memberUid=hiddenuser1)) 29 ((objectClass=posixGroup)(memberUid=chelovek)) 29 ((objectClass=posixAccount)(uid=chelovek)) 27 ((objectClass=posixAccount)(uid=user0)) 23 ((objectClass=posixAccount)(uid=nobody)) 21 ((objectClass=posixAccount)(uid=user1)) 18 ((objectClass=posixAccount)(uid=user2)) 16 ((objectClass=posixAccount)(uid=user3)) 15 ((objectClass=posixAccount)(uid=user4)) 12 ((objectClass=posixAccount)(uid=user5)) 11 ((objectClass=posixAccount)(uidNumber=7330)) 10 ((objectClass=posixAccount)(uid=user15)) 9 ((objectClass=posixAccount)(uid=user16)) 8 ((objectClass=posixAccount)(uidNumber=7333)) 6 ((objectClass=posixAccount)(uid=user6)) 5 ((objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 ((objectClass=posixAccount)(uidNumber=7228)) 4 ((objectClass=shadowAccount)(uid=user1)) 4 ((objectClass=posixAccount)(uid=user9)) 4 ((objectClass=posixAccount)(uid=user10)) 4 ((objectClass=posixAccount)(uid=user11)) 3 ((objectClass=posixAccount)(uid=user12)) 3 ((objectClass=posixAccount)(uid=user13)) 3 ((objectClass=posixAccount)(uid=user14)) ... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like us...@domain.com in rcpt to field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Optimizing pam_ldap and nss_ldap
Don't know ... I couldn't ever get pam_ldap to work. It was caught in a permanent wait state. The ldap server NEVER replied. Computer Assistant Nvita.org 12400 Midsummer Ln, Suite 201A Woodbridge, VA 22192 Phone - (202) 455-9065 Web - http://www.nvita.org/free-shells.aspx -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of c0re Sent: Thursday, April 07, 2011 1:38 AM To: FreeBSD Subject: Optimizing pam_ldap and nss_ldap Hello freebsd users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K32K CPU00 3874.8 200.00% idle 4773 ldap18 440 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 Processed /var/log/debug.log: Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches: 714964 Total compares: 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # UsesFilter ----- 615504 ((objectClass=posixAccount)(uid=mailer-daemon)) 90699 ((objectClass=posixGroup)) 6833((objectClass=posixAccount)(uid=root)) 2236((objectClass=posixAccount)(uid=hiddenuser1)) 669 ((objectClass=posixGroup)(memberUid=root)) 318 ((objectClass=posixAccount)(uid=testacc)) 87 ((objectClass=posixGroup)(memberUid=postfix)) 87 ((objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 ((objectClass=posixAccount)(uid=debian-exim)) 68 ((objectClass=posixGroup)(memberUid=Debian-exim)) 39 ((objectClass=posixAccount)(uid=normaluser)) 34 ((objectClass=posixAccount)(uidNumber=7333)) 30 ((objectClass=posixGroup)(memberUid=hiddenuser1)) 29 ((objectClass=posixGroup)(memberUid=chelovek)) 29 ((objectClass=posixAccount)(uid=chelovek)) 27 ((objectClass=posixAccount)(uid=user0)) 23 ((objectClass=posixAccount)(uid=nobody)) 21 ((objectClass=posixAccount)(uid=user1)) 18 ((objectClass=posixAccount)(uid=user2)) 16 ((objectClass=posixAccount)(uid=user3)) 15 ((objectClass=posixAccount)(uid=user4)) 12 ((objectClass=posixAccount)(uid=user5)) 11 ((objectClass=posixAccount)(uidNumber=7330)) 10 ((objectClass=posixAccount)(uid=user15)) 9 ((objectClass=posixAccount)(uid=user16)) 8 ((objectClass=posixAccount)(uidNumber=7333)) 6 ((objectClass=posixAccount)(uid=user6)) 5 ((objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 ((objectClass=posixAccount)(uidNumber=7228)) 4 ((objectClass=shadowAccount)(uid=user1)) 4 ((objectClass=posixAccount)(uid=user9)) 4 ((objectClass=posixAccount)(uid=user10)) 4 ((objectClass=posixAccount)(uid=user11)) 3 ((objectClass=posixAccount)(uid=user12)) 3 ((objectClass=posixAccount)(uid=user13)) 3 ((objectClass=posixAccount)(uid=user14)) ... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - users that relayed, like us...@domain.com in rcpt to field in email at mail-relay. What can I do to tune nss? Can you point me in a right direction? There's too many not needed nss requests to ldap (when email recieved and then relayed somewhere). Do not know what to look
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. Well, I tried several things now and I do not understand this world anymore :-( For short again: The conceptional setup I use is a working concept within all FreeBSD boxes around here autheticating users via our OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64). On the Linux/Ubuntu 10.10 server I tried the following: ldapsearch: ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: TLS confidentiality required ldapsearch -xZ: ...listing of the DIT of the LDAP server looking up an user ID definitely within the DIT: positive response from the LDAP server. I also can obtain passwd/group informations via getent passwd/group. I also checked the connection to the LDAPserver with the SSL credetials by openssl s_client -connect LDAPserver:636 -showcerts and receive a lot of informations CONNECTED(0003) depth=1 /C [...] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST [...] -BEGIN CERTIFICATE- MIIDljCCAv+gAwIBA [...] -END CERTIFICATE- 1 s:/C [...] i:/C=DE [...] -BEGIN CERTIFICATE- MIIDojCC[...] -END CERTIFICATE- --- Server certificate subject=/C [...] issuer=/C [...] --- No client certificate CA names sent --- SSL handshake has read 2175 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3 Session-ID-ctx: Master-Key: X Key-Arg : None TLS session ticket: - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 .Hu.O..i 0010 - 37 a5 4f c7 [...] Start Time: 1300547707 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- I guess this signals everything is all right with the certificate connecting via SSL/TLS. I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done via apt-get/installation of the appropriate tools and facilities (ldap, pam_ldap, nss_ldap). I've no idea what's going wrong ... There is also some kind of weirdness around here. While login in via ssh (or better: trying to login via ssh), I received this: Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string from 125.88.109.121 Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from XXX.XXX.XXX.XXX port 52686 ssh2 Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session closed for user root IP 125.88.109.121 is located in China, 125.88.109.121 Server Details IP address: 125.88.109.121 Server Location: Guangzhou, Guangdong in China ISP: ChinaNet Guangdong Province Network ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. I managed it! My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the follwoing entries, which seems to confuse Linux (but not the FreeBSD clients, no matter why): olcSecurity: simple_bind=256 After reducing this security strenth value down to olcSecurity: simple_bind=128 everything works fine so far. At the moment, I have no explanation for this. Either FreeBSD clients are always binding with a higher security strength level or ignoring this. Thanks, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
Hello. I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Mar 18 12:01:25 freyja sshd[26854]: Failed password for testuser from 192.168.0.128 port 54156 ssh2 I'm able to login from other systems (FreeBSD 9 and 8) via this specific OpenLDAP server. Does anyone has a glue? Please set me CC, I'm not subscribing this list. Thanks in advance and regards, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. Well, in /etc/ldap.conf there is ssl start_tls and this should do the thing. I use nearly exact the same configuration as I do on all the FreeBSD boxes connecting to the same OpenLDAP server. I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get ldap_start_tls: Connect error (-11) additional info: (unknown error code) looking deeper into the debug stuff with 'ldapsaerach -xZZ -h hostIP' I receive at the end TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Obviously, my certificate (self signed, openssl verify cacert.pem gives: OK) isn't found or there is something wrong with it. The certificate is located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's /etc/ldap.conf there is this line: tls_cacertfile usr/local/etc/cacerts/cacert.pem is referring to the certificate. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute
On Sat, Apr 17, 2010 at 4:13 PM, Alejandro Imass a...@p2ee.org wrote: On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud valentin@gmail.com wrote: Hello community, I am working these days on implementing a centralized [...] The problem is that pam_ldap wants the memberUid attribute to contain the user's DN and there is no option to change this behavior. Hmmm... My question is: what is the argument behind this and do you think it should stay this way or could it be changed? In my case I really need pam_ldap to check just for UID not DN of a user in memberUid attribute. I think you are a bit confused here, because dn is not an attribute, and you must revise RFCs 4510 to 4519,4530 (and others related). The DN is the Distinguished Name, which is basically the RDN + the DN of the parent node. let's see where should I start Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a database model that stores entries in a tree fashion (the Directory Information Tree or DIT). Each entry (the atomic unit in a DIT) has to derive from at least one structural Object Class (or more) and zero or more Auxiliary Classes. The structural class has one (or more - though it's not very common) MUST attributes, which _usually_ make up the entry's RDN (Relative Distinguished Name). So, the RDN is _usually_ conformed of the principal MUST attribute of it's primary structural class, and _usually_ it defines the entry type[1]. I say usually because entries commonly derive from several classes, not just one, so in reallity you can use _any_ attribute for your RDN, as long as you make sure it's unique among siblings (other entries that share the same parent). When you position the entry in the DIT you conform what is known as the DN, which is the attribute(s) that conform the RDN + the DN of the parent node. It is also important to note that, and not many people know this, that both the RDN and DN could change during the life of an entry, and there is an operational attribute called the entryUUID which is sort-of a unique identifier in the DIT (RFC4530), and although it's not really meant to be used as a day-to-day identifier, may prove useful when integrating LDAP data to other data sources such as RDBMS. Oh, and entries can also have multiple DNs (Alias Names RFC4512, sect 2.6). So, back to your question, the short answer is that to find an entry in the DIT you HAVE TO use the dn, althoug the attribuites that conform that dn are really up to you. For example, if your entry derives from person and posixAccount you could use any of (or both) cn and/or uid in the RDN. Best, Alejandro Imass Notes: [1] The entry type, of course is what you want it to be, though many of your GUI tools will chose the principal atribute of the first objectclass to show you the node (they seldomly use the complete dn, so you kind-a think of that attribute as the type (organization, person, ou, etc.), but that may be missleading) I have asked our friend google what does he has to say about this and found out that there is a patch on Debian which can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 that gives the user the possibility to choose if the memberUid attribute holds the DN or UID. I would really like that feature so I have patched pam_ldap to no success and since my C programming skills are close to none I am stuck. Would you people think that the above patch would be useful? Please argument on this. How can I/we make that patch work? Thank you very much and a great day, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Hello Alejandro, Thank you for your explanation about LDAP. It has been helpful. My problem though is WHY (argumented) does pam_ldap want to see the DN of the entry which matched the search for the uid attribute in the memberUid attribute of the group I want to enforce users be a part of so they can login into the system using ssh. Since memberUid attribute holds the value of posix uid I think is not pretty correct to find there a DN relating to the standards. Thanks once again. A great day, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Requesting community opinion regarding security/pam_ldap groupdn and member_attribute
On Fri, Apr 16, 2010 at 8:44 AM, Valentin Bud valentin@gmail.com wrote: Hello community, I am working these days on implementing a centralized [...] The problem is that pam_ldap wants the memberUid attribute to contain the user's DN and there is no option to change this behavior. Hmmm... My question is: what is the argument behind this and do you think it should stay this way or could it be changed? In my case I really need pam_ldap to check just for UID not DN of a user in memberUid attribute. I think you are a bit confused here, because dn is not an attribute, and you must revise RFCs 4510 to 4519,4530 (and others related). The DN is the Distinguished Name, which is basically the RDN + the DN of the parent node. let's see where should I start Ok, think of LDAP as 2 things: 1) a simple network protocol, 2) a database model that stores entries in a tree fashion (the Directory Information Tree or DIT). Each entry (the atomic unit in a DIT) has to derive from at least one structural Object Class (or more) and zero or more Auxiliary Classes. The structural class has one (or more - though it's not very common) MUST attributes, which _usually_ make up the entry's RDN (Relative Distinguished Name). So, the RDN is _usually_ conformed of the principal MUST attribute of it's primary structural class, and _usually_ it defines the entry type[1]. I say usually because entries commonly derive from several classes, not just one, so in reallity you can use _any_ attribute for your RDN, as long as you make sure it's unique among siblings (other entries that share the same parent). When you position the entry in the DIT you conform what is known as the DN, which is the attribute(s) that conform the RDN + the DN of the parent node. It is also important to note that, and not many people know this, that both the RDN and DN could change during the life of an entry, and there is an operational attribute called the entryUUID which is sort-of a unique identifier in the DIT (RFC4530), and although it's not really meant to be used as a day-to-day identifier, may prove useful when integrating LDAP data to other data sources such as RDBMS. Oh, and entries can also have multiple DNs (Alias Names RFC4512, sect 2.6). So, back to your question, the short answer is that to find an entry in the DIT you HAVE TO use the dn, althoug the attribuites that conform that dn are really up to you. For example, if your entry derives from person and posixAccount you could use any of (or both) cn and/or uid in the RDN. Best, Alejandro Imass Notes: [1] The entry type, of course is what you want it to be, though many of your GUI tools will chose the principal atribute of the first objectclass to show you the node (they seldomly use the complete dn, so you kind-a think of that attribute as the type (organization, person, ou, etc.), but that may be missleading) I have asked our friend google what does he has to say about this and found out that there is a patch on Debian which can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 that gives the user the possibility to choose if the memberUid attribute holds the DN or UID. I would really like that feature so I have patched pam_ldap to no success and since my C programming skills are close to none I am stuck. Would you people think that the above patch would be useful? Please argument on this. How can I/we make that patch work? Thank you very much and a great day, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Requesting community opinion regarding security/pam_ldap groupdn and member_attribute
Hello community, I am working these days on implementing a centralized authentication/authorization service for all the FBSD servers I have. I am using OpenLDAP to store the user and GOsa (https://oss.gonicus.de/) as a web frontend to administer the directory. To enable SSH/console authentication from LDAP I noticed that one can use security/pam_ldap from ports and net/nss_ldap so that the name service switch can get groups/passwd info from LDAP too. I have successfully configured OpenLDAP and created a user as follows: dn: cn=Valentin BUD,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn: BUD givenName: Valentin uid: mtx cn: Valentin BUD homeDirectory: /home/mtx loginShell: /bin/tcsh uidNumber: 5001 gidNumber: 5001 gecos: Valentin BUD and a posixGroup as follows: dn: cn=ssh,ou=groups,ou=people,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ssh gidNumber: 7000 description: SSH allowed users memberUid: mtx I have configured pam_ldap to honor group membership using pam_groupdn cn=ssh,ou=groups,ou=people,dc=example,dc=com pam_member_attribute memberUid The problem is that pam_ldap wants the memberUid attribute to contain the user's DN and there is no option to change this behavior. My question is: what is the argument behind this and do you think it should stay this way or could it be changed? In my case I really need pam_ldap to check just for UID not DN of a user in memberUid attribute. I have asked our friend google what does he has to say about this and found out that there is a patch on Debian which can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341541 that gives the user the possibility to choose if the memberUid attribute holds the DN or UID. I would really like that feature so I have patched pam_ldap to no success and since my C programming skills are close to none I am stuck. Would you people think that the above patch would be useful? Please argument on this. How can I/we make that patch work? Thank you very much and a great day, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pam_ldap pam_password crypt option doesn't work...?
Hi, I'm trying to authenticate users from OpenLDAP. In LDAP userPassword fields are crypted. So I'm trying to use pam_password crypt option in ldap.conf. But in LDAP log the the password data from pam_ldap module always is in clear text. What could be wrong? Thanks in advance. ldap.conf host *host* base ou=people,dc=boun.edu.tr,o=BU ldap_version 3 binddn cn=root,o=BU bindpw *password* port 389 timelimit 30 bind_timelimit 30 pam_login_attribute uid pam_password crypt Service conf file authrequired/usr/local/lib/pam_ldap.so try_first_pass I also tryed use_mapped_pass option, but it didn't worked. LDAP log ldap_read: want=60, got=60 : 01 03 04 2c 75 69 64 3d 74 65 73 74 2e 74 65 73 ...,uid=test.tes 0010: 74 31 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 3d t1,ou=people,dc= 0020: 62 6f 75 6e 2e 65 64 75 2e 74 72 2c 6f 3d 42 55 boun.edu.tr,o=BU 0030: 80 0a 79 61 67 6c 69 65 6b 6d 65 6b ..yagliekmek [clear text password] ber_get_next: tag 0x30 len 66 contents: pam_ldap version is 1.8.4 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Invalid credentials errors using pam_ldap on FreeBSD
Hello, I'm pretty sure I've done all the necessary steps to be able to ssh to my FreeBSD box using pam_ldap, but I'm getting Invalid credentials errors whenever I try (I can successfully perform an ldapsearch operation though). Here are snippets from my config: [/etc/nsswitch.conf] passwd: files ldap [/etc/pam.d/sshd] authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so [/usr/local/etc/ldap.conf] base o=brookes uri ldap://ldap.brookes.ac.uk:389/ scope one And here is the error: Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind as user uid=p0036343,o=Brookes (Invalid credentials) Incidentally, the following ldapsearch query _IS_ successful, and returns me some details about user 'jsmith' ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=brookes' -x -W -D 'uid=me,o=Brookes' uid=jsmith I'm really stumped on this one... can anyone help please? Many thanks, Steve :) -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Invalid credentials errors using pam_ldap on FreeBSD
Quoting Stephen Allen [EMAIL PROTECTED]: Hello, I'm pretty sure I've done all the necessary steps to be able to ssh to my FreeBSD box using pam_ldap, but I'm getting Invalid credentials errors whenever I try (I can successfully perform an ldapsearch operation though). Here are snippets from my config: [/etc/nsswitch.conf] passwd: files ldap [/etc/pam.d/sshd] authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so [/usr/local/etc/ldap.conf] base o=brookes uri ldap://ldap.brookes.ac.uk:389/ scope one And here is the error: Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind as user uid=p0036343,o=Brookes (Invalid credentials) Incidentally, the following ldapsearch query _IS_ successful, and returns me some details about user 'jsmith' ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=brookes' -x -W -D 'uid=me,o=Brookes' uid=jsmith Try to increase the log level in nss_ldap.conf, debug = level, and check /var/log/debug.log. man nss_ldap(5). --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Paul Schmehl wrote: Please don't top post. It disrupts the flow of the conversation. (See below for my response.) --On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. That's what I did , I use nss_ldap and pam_ldap since a long time now on many platforms and that is what do not work If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. at the very last extremity why not ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
--On Thursday, March 27, 2008 11:17:26 +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. That's what I did , I use nss_ldap and pam_ldap since a long time now on many platforms and that is what do not work Time to troubleshoot. Is the ldap server reachable? Is your search base correct? Is a firewall blocking you? Is the ldap server running on a non-standard port? Something is wrong, but if you configured it the same way as I described, then the problem lies elsewhere. If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. at the very last extremity why not ? I'm afraid I don't follow you here. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Brian A. Seklecki wrote: On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: Hello Brian Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS we I try to ssh connect to the machine I fall in a loop like the following panzer:~ ssh [EMAIL PROTECTED] Password: Old Password: Password: Old Password: Password: I am SURE the password I type works Brian A. Seklecki wrote: The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Please don't top post. It disrupts the flow of the conversation. (See below for my response.) --On Wednesday, March 26, 2008 4:01 PM +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Hello After having spent several hours on it I can't have a working ssh access that use PAM_LDAP on a freebsd 6/7 machine ! I have no problem on a Linux Debian etch box ... Where are we going if Linux works better than BSD ? :-) Setting up pam ldap ssh access on a FreeBSD box takes less than five minutes *after* installing the correct ports. 1) net/openldap-client 2) security/pam_ldap Then configure ldap.conf (in /usr/local/etc/) which is quite simple: host {your ldap server(s) either hostname(s) or ip(s) in a space-separate list dc (your dn) Then configure /etc/pam.d/sshd thus: authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass That's all that is needed. If it doesn't work, fire up wireshark (port) or tcpdump (base) and see what the problem is. You needn't even bother creating local passwords for accounts. Just create the account without one, and with pam/ssh/ldap, they can login and use their assigned shell/do whatever you've authorized them to do. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Working /etc/pam.d/sshd file with pam_ldap 6.3 or 7.0 ?
On Tue, 2008-03-25 at 16:31 +0100, Frank Bonnet wrote: Hello Brian Thanks for the quick answer but I'm still in trouble Turn on the debugging flags in the configuration file for pam_ldap in /usr/local/etc and watch the console on the system. ~BAS we I try to ssh connect to the machine I fall in a loop like the following panzer:~ ssh [EMAIL PROTECTED] Password: Old Password: Password: Old Password: Password: I am SURE the password I type works Brian A. Seklecki wrote: The problem is that the PAM libraries provide a shit-fuck-ass-worthless debug mechanisms. This only eclipsed by the terribly organized information on LDAP+NSS+PAM for FreeBSD on the web. The file is the same for pam.d/system and /usr/local/etc/pam.d/sudo. Please put this on the OpenLDAP / PADL Wiki somewhere: [EMAIL PROTECTED]:/home/seklecki$ more /etc/pam.d/sshd # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth #auth requiredpam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass Also try: $ grep -i debug /usr/local/etc/ldap.conf #debug 1 $ grep -i debug /usr/local/etc/nss_ldap.conf #debug 1 Higher levels for fun. ~BAS On Tue, 2008-03-25 at 15:34 +0100, Frank Bonnet wrote: Hello I can't get a working sshd access using pam_ldap and nss_ldap /etc/nsswitch.conf is OK but I'm having difficulties to configure pam_ldap for a ssh access on a machine ( 6.3 or 7.0 ) ... I have been trying a lot to configure the /etc/pam.d/sshd file but haven't any success (sigh!) Anyone could helps ? Thanks a lot ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. This method has been recommended by many sites and tutorials, so I guess it should be approved ;-) The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log Thanks, I did so and found several usefull messages in the log. sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? Sorry, yes, copy-and-paste mistake. NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. Due to a recommendation not to use NSCD with FreeBSD and SAMBA I switched that off. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Great!! That did the trick and it is very helpful in saving a lot of time and prevented me from loosing more hairs. Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? Too many switches switched at the same time, so I guess I messed up things and couldn't get a clear sight anymore. The point is, without any TLS the user authetication works fine for SSHD/LOGIN and SU, even password changes via a patched 'passwd' works fine, but when trying using TLS/OpenSSL everything gets messed up again, I'll report this at the end. The main reason for blocking access was the ACL misbehaviour. I took the example slapd.conf and especially the line describing access to everything access to * ... The line 'by anonymous auth' needs to be changed into 'by anonymous read' otherwise LDAP won't let you even access for authetication. I found this by watching exhaustive logs ... One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. Yes, but OpenLDAP openldap-server-2.3.38 seems to reject connections via TLS when used with self-signed certificacates. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein Well, thanks a lot for helping. At this moment OpenLDAP seems to work with the OpenLDAP-Clients (only) and for authetication via ssh/login. I tried to install the famous and often mentioned 'smbldap-tools' as recommended in many tutorials and I followed the setup
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Sorry for the late reply ... On Fri, 26.10.2007 at 20:16:45 +0200, O. Hartmann wrote: All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: Seems ok to me, though I don't claim to be an expert. The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 loglevel is a bitmask. It you want to have lots of debugging try 255 and run a tail -f /var/log/debug.log sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off typo I guess? NSCD is up and running, my nsswitch.conf looks like this: Please try without nscd first, it's just another possible source of problems. group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): I'm using softbind and a short timeout in ldap.conf/nss_ldap.conf to avoid this unresponsiveness. # Bind/connect timelimit bind_timelimit 3 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft Also, make NSS work first, then turn to configuring PAM (at least, that's what I would do) Some errors from console: (At boot time) Oct 26 17:00:36 gauss kernel: Oct 26 17:00:36 gauss slapd[757]: nss_ldap: could not search LDAP server - Server is unavailable Expected. slapd want to change its user to ldap:ldap, which it needs to look up the UID for. Chicken Egg. That's why I need to use soft bind+timeout on my (disconnected) laptop here. Oct 26 11:59:08 gauss kernel: Oct 26 11:59:08 gauss cron[13480]: nss_ldap: could not search LDAP server - Server is unavailable Oct 26 12:41:44 gauss kernel: Oct 26 12:41:44 gauss login: nss_ldap: could not search LDAP server - Server is unavailable That seems broken then. Is slapd running? Can you ldapsearch -Lx -h localhost? What's /var/log/debug.log telling you? Can you id(1) some ldap users? Does the output of 'getent group' and 'getent passwd' look reasonable? One point: what is about compile time options of OpenLDAP? Does LDAP forces itself using SSL although not configured explicitely in slapd.conf? No. It is purely optional. You would need certificates before it can even possibly start working anyways. nss_ldap-1.257 === openldap-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 My other computer is running with nss_ldap-1.257 and showing no problems either. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub Well, on a test machine, I setup a testenvironment equal or nearly equal to that which is not working on a potentially production box. First of all, I think there is a misunderstanding in how to setup /etc/nsswitch.conf, because most trouble seems to be sourced there. When setting # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files restarting OpenLDAP results in this, but after two minutes or so it starts up (the time is inacceptable and it does not change anything reverting the order from 'files ldap' to 'ldap files' for passwd and group). The great question is: Do I need to have these entries? Neither in the nsswitch.conf manpage nor in nss_ldap manpage it's mentioned to set 'ldap' as an option, I took this from one of the many tutorials out there. Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:31 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:39 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:55:55 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldapi://%2fvar%2frun%2fldapi_sock/: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldap:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: failed to bind to LDAP server ldaps:///: Can't contact LDAP server Oct 27 15:56:27 20.6 thor slapd[81911]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... Good to hear, but it doesn't on mine ... :-( P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. All right, here I am. nss_ldap.conf and ldap.conf are located in /usr/local/etc and are identical (link). I copied all tags I use and deleted commented out tags: host 192.168.2.210 (or 127.0.0.1 alternatively) base dc=office,dc=de # Filter to AND with uid=%s pam_filter objectclass=posixAccount # Specify a minium or maximum UID number allowed pam_min_uid 1000 pam_max_uid 3 pam_passwordssha nss_base_passwd ou=users,dc=office,dc=de?one nss_base_shadow ou=users,dc=office,dc=de?one nss_base_group ou=group,dc=office,dc=de?one pam_filter objectClass=posixAccount The slapd.conf is this, comments roped: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # additional schema include /usr/local/share/examples/samba/LDAP/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel512 sizelimit unlimited allow bind_v2 modulepath /usr/local/libexec/openldap moduleload back_bdb everse-lookup off access to * by self write by users read by anonymous auth databasebdb suffix dc=office,dc=de rootdn cn=admin,dc=office,dc=de rootpw directory /data/openldap-data/nuggad/ index objectClass eq,pres index uid,memberUid pres,eq,sub index ou,cn,mail,surname,givennameeq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index nisMapName,nisMapEntry eq,pres,sub NSCD is up and running, my nsswitch.conf looks like this: group: cache ldap[ unavail=continue notfound=continue ] files passwd: cache ldap [ unavail=continue notfound=continue ] files #group_compat: nis hosts: compat networks: files #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files And I changed some lines in /etc/pam.d/sshd,login,system,other like this *commented out due to system gets stuck forever when enab;ed nss_ldap/pam_ldap): system: # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so #accountsufficient /usr/local/lib/pam_ldap.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn use_authtok passwordrequiredpam_unix.so no_warn try_first_pass sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: Ulrich Spoerlein wrote: On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I've this running since 6.x and have just installed this yesterday in a 7-BETA machine This that you can try: - Do not use nscd (the samba documentation recomend this) - Do not the changes in steps, testing betwing each change What's ldapsearch says ??? Att, playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Alexandre Biancalana wrote: On 10/26/07, O. Hartmann [EMAIL PROTECTED] wrote: playing with ldapsearch gets results as expected. Doing ldapsearch witch -D and dn of the admin results in the whole DIT as expected, accessing the DIT with uid=user,ou=users,dc=... the same. Accessing LDAP server from client via LUMA (tool) is also ok. Try to change the nss_base_passwd line from: nss_base_passwd ou=users,dc=office,dc=de?one to nss_base_passwd ou=users,dc=office,dc=de?sub ... no difference ... slapd won't start when ldap is first entry in nsswitch.conf and gets not searched when last. maybe there is a problem with the nss_ldap library? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
On Sun, 21.10.2007 at 18:26:55 +0200, O. Hartmann wrote: At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. I do. It's working just fine ... P.S. If someone wants me to offer config details and/or log excerpts, please contact me. Well, we/I would need your ldap.conf, nss_ldap.conf (should be a link to ldap.conf) and slapd.conf, as well as pam.d stuff and nsswitch.conf. Some actual error messages would be fine too. Your should run tcpdump in some window to actuall see what's going on. It also helps to turn on massive debugging in slapd.conf and tail(1)ing /var/log/debug.log I'm running the following versions on 7-CURRENT from 30. September nss_ldap-1.256 openldap-sasl-client-2.3.38 openldap-server-2.3.38 pam_ldap-1.8.2 Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
Per olof Ljungmark wrote: O. Hartmann wrote: For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. snip We have this config running on 7 since months. I suggest you provide the list with more information + log excerpts, then someone might help you out. --per Well, great, I appreciate your help and by teh way, you're the first one telling he's running FBSD 7 AND OpenLDAP/nss_ldap/pam_ldap. OpenLDAP is running well on the server, I can access the DIT via some tools like LUMA and the OpenLDAP clients from remote machines. A major problem seems to be the pam_ldap/nss_ldap configuration. Can you please tell me how you edited /etc/pam.d/ files and /etc/nsswitch.conf properly? At this very moment it seems that I shot myself into the foot - the box running the LDAP service does not start OpenLDAP service slapd after rebooting, the console is stuck at the message shown when 'additional ABI's' get started. So, I'm sorry having no logs handy at this very moment, I will offer them as soon as possible included with my config files, if this will not bother you. Thanks in advance, Oliver -- Planetology and Remote Sensing FU Berlin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenLDAP 2.3/pam_ldap/nss_ldap: not working in FreeBSD 7.0-PRE!
For weeks now I tried to get an OpenLDAP-server on a local FreeBSD 7.0-PRE box running, but with no success. Within the last 8 weeks I tried nearly EVERY tutorial and there explained setups, but whenever I try to authenticate or find an ID for an existing user in the DIT, I receive either errors that the client (pam/nss, ssh, id etc.) can not connect to the slapd running on the same machine. Calling ldapsearch from both the localhost running the slapd and from a client in the network runs well, I receive a dump of every object created in the LDAP tree. At this point it seems senseless to try out what's going wrong and I need some hints or tipps. I read about others successfully running OpenLDAP on FBSD 6 and 5, but no one seems running OpenLDAP based services on FBSD 7. In most cases when changing /etc/nsswitch.conf (renaming password/group: compat to password/group: files ldap as suggested in most of the tutorials) the box gets unusable running the request (eithe looking for an user id, starting a xterm, login in as root via console). Everything which seems to look for an user ID takes more than a minute to startup or dump errors. Even if I try to log in as a user that is only on local machine (root and a special user) it seems that fallback to 'files' doesn't work properly or the timeout takes thta long. I'm not a professional in OpenLDAP, but I tried several configs found in LinuxWiki on Gentoo or Debian boxes without problems. Even the simplest config seems not to work on FreeBSD 7! In many cases ACLs seem to be the culprit, but even setting 'access to * by * write' or configuring binddn and binddnpw in /usr/local/etc/ldap.conf and nss_ldap.conf as the same as the rootdn in slapd.conf doesn't work and results in the same problem. If anyone willing to help and running ldap services on a FreeBSD 7.0-PRE box, he or she is welcome! Thanks in advance, Oliver P.S. If someone wants me to offer config details and/or log excerpts, please contact me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: passwd(1), pam_ldap and old PRs
Jonathan McKeown wrote: There are two relevant PRs, one open (bin/71290)and one suspended (bin/59638). ... You may want to try asking this on current@ and hackers@ lists. signature.asc Description: OpenPGP digital signature
passwd(1), pam_ldap and old PRs
I asked this on -hackers@ several weeks ago and the silence was deafening - what I have heard referred to as Warnock's Dilemma. I'm experimenting with OpenLDAP, pam_ldap, and pgina with the PAM plugin on Windows clients, for central authentication in a mixed network. passwd(1) won't allow me to change a password other than local or NIS. There are two relevant PRs, one open (bin/71290)and one suspended (bin/59638). Looking at the source, it appears passwd.c has been rewritten (some years since) to use the PAM infrastructure for password changes. This goes most of the way to addressing bin/59638. However, there is a switch statement at lines 112-126 of /usr/src/usr.bin/passwd/passwd.c (on 6.2-RELEASE) which prevents it from working except for files and nis, using constants defined in pwd.h and commented there as being ``bogus''. bin/71290 includes a patch which would fix this (although I do think it would be a shame to lose the comment about green men). Is there any reason other than historical that this PR and patch is being ignored and the old behaviour is being preserved? What would be the drawback to removing the switch statement as proposed, and allowing passwd(1) to change the user's password using PAM, wherever it might be stored? Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Issues while authenticating a user over openLDAP using PAM_ldap
running FreeBSD 6.2 Stable we have openLDAP installed on a server called access1. Users on access1 appear to not be able to ssh to access1. The ssh authentication method uses PAM ldap. PAM_ldap reports Invalid credentials in /var/log/messages We have another server called access2 that authenticates to the the ldap server running on access1. those users log in via ssh without issue on access2. I am trying to track down what is broken. I am not even sure how to receive verbose logging from PAM and/or PAM_ldap. Any assistance is much appreciated. Aug 9 10:17:42 access1 sshd[91878]: pam_ldap: error trying to bind as user cn=Test User,cn=people,dc=blah,dc=blah,dc=com (Invalid credentials) related rc.conf lines on access1: slapd_enable=YES slapd_flags='-h ldapi:///var/run/openldap/ldapi/ ldap://0.0.0.0/; -f /usr/local/etc/openldap/slapd.conf' slapd_sockets=/var/run/openldap/ldapi sshd_enable=YES sshd_program=/usr/local/sbin/sshd access1# cat /etc/pam.d/ldap # debug # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ debug # debug # PAM configuration for the sshd service debug # debug # auth debug authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug authrequiredpam_nologin.so no_warn debug authsufficient pam_opie.so no_warn no_fake_prompts debug authrequisite pam_opieaccess.so no_warn allow_local debug #auth sufficient pam_krb5.so no_warn try_first_pass debug #auth sufficient pam_ssh.so no_warn try_first_pass debug authrequiredpam_unix.so no_warn try_first_pass debug # account debug #accountrequiredpam_krb5.so debug account requiredpam_login_access.so debug account requiredpam_unix.so debug # session debug #sessionoptionalpam_ssh.so debug session required/usr/local/lib/pam_mkhomedir.so #session required/usr/local/lib/pam_mkhomedir.so skel=/etc/skel/ umask=0077 debug session requiredpam_permit.so debug # password debug #password sufficient pam_krb5.so no_warn try_first_pass debug passwordrequiredpam_unix.so no_warn try_first_pass debug access1 [EMAIL PROTECTED] ~]$ pkg_info | grep pam checkpassword-pam-0.99 Implementation of checkpassword authentication program nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd p5-Mail-SpamAssassin-3.2.1_1 A highly efficient mail filter for identifying spam pam_ldap-1.8.2 A pam module for authenticating with LDAP pam_mkhomedir-0.1 Create HOME with a PAM module on demand pamtester-0.1.2 A command line pam authentication tester razor-agents-2.84 A distributed, collaborative, spam detection and filtering [EMAIL PROTECTED] ~]$ pkg_info | grep ldap ldapsh-2.00_2,1 Interactive shell used to administer ldap directories nss_ldap-1.255 RFC 2307 NSS module openldap-client-2.3.37 Open source LDAP client implementation openldap-server-2.3.37 Open source LDAP server implementation p5-perl-ldap-0.34 A Client interface to LDAP servers pam_ldap-1.8.2 A pam module for authenticating with LDAP php5-ldap-5.2.3_1 The ldap shared extension for php [EMAIL PROTECTED] ~]$ pkg_info | grep nss nss-3.11.7 Libraries to support development of security-enabled applic nss_ldap-1.255 RFC 2307 NSS module openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH openssl-0.9.8e_1SSL and crypto library php5-openssl-5.2.3_1 The openssl shared extension for php py25-openssl-0.6Python interface to the OpenSSL library [EMAIL PROTECTED] ~]$ access2 files [EMAIL PROTECTED] ~]$ pkg_info | grep pam pam_ldap-1.8.2 A pam module for authenticating with LDAP pam_mkhomedir-0.1 Create HOME with a PAM module on demand pamtester-0.1.2 A command line pam authentication tester [EMAIL PROTECTED] ~]$ pkg_info | grep ldap nss_ldap-1.255 RFC 2307 NSS module openldap-client-2.3.37 Open source LDAP client implementation openldap-server-2.3.37 Open source LDAP server implementation pam_ldap-1.8.2 A pam module for authenticating with LDAP [EMAIL PROTECTED] ~]$ pkg_info | grep nss nss_ldap-1.255 RFC 2307 NSS module openssh-portable-4.6.p1,1 The portable version of OpenBSD's OpenSSH [EMAIL PROTECTED] ~]$ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Issues while authenticating a user over openLDAP using PAM_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07, Noah wrote: running FreeBSD 6.2 Stable we have openLDAP installed on a server called access1. Users on access1 appear to not be able to ssh to access1. The ssh authentication method uses PAM ldap. PAM_ldap reports Invalid credentials in /var/log/messages We have another server called access2 that authenticates to the the ldap server running on access1. those users log in via ssh without issue on access2. I am trying to track down what is broken. I am not even sure how to receive verbose logging from PAM and/or PAM_ldap. Any assistance is much appreciated. What about your nsswitch.conf file? - -- Andy Harrison public key: 0x67518262 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf l+t2S41Im4TNPEoE8HF3jDc= =aI1r -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Issues while authenticating a user over openLDAP using PAM_ldap [cured]
see below Andy Harrison wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/07, Noah wrote: running FreeBSD 6.2 Stable we have openLDAP installed on a server called access1. Users on access1 appear to not be able to ssh to access1. The ssh authentication method uses PAM ldap. PAM_ldap reports Invalid credentials in /var/log/messages We have another server called access2 that authenticates to the the ldap server running on access1. those users log in via ssh without issue on access2. I am trying to track down what is broken. I am not even sure how to receive verbose logging from PAM and/or PAM_ldap. Any assistance is much appreciated. What about your nsswitch.conf file? thanks Andy - that was it! I matched the lines of access1's nsswitch.conf to access2's nsswitch.conf file and things are fine! - -- Andy Harrison public key: 0x67518262 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFGu3FBNTm8fWdRgmIRAoAQAJ4ocG7HEisT2k82NeoRzf1r0XKVawCg+Hrf l+t2S41Im4TNPEoE8HF3jDc= =aI1r -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap receives Invalid credentials
Hi, I am not sure why this happens but out terminal servers, routers, and ancillary devices are able to authenticate with our LDAP server. For some reason pam_ldap claims Invalid credentials with the same exact user and password. What could be wrong? I cant seem to figure out what is wrong with the current log messages. Is there a way to receive verbose messages from pam and/or pam_ldap to figure out if it is sending the proper authentication information to the LDAP server. We are on a FreeBSD-6.2 stable machine. Clues please, Noah Aug 1 11:24:11 access1 sshd[6277]: pam_ldap: error trying to bind as user cn=Test User,cn=people,dc=bogus,dc=domain,dc=net (Invalid credentials) Aug 1 11:24:11 access1 sshd[6277]: Failed password for invalid user tuser from 172.24.241.234 port 49317 ssh2 Aug 1 11:24:14 access1 sshd[6277]: pam_ldap: error trying to bind as user cn=Test User,cn=people,dc=bogus,dc=domain,dc=net (Invalid credentials) Aug 1 11:24:14 access1 sshd[6277]: Failed password for invalid user tuser from 172.24.241.234 port 49317 ssh2 Aug 1 11:24:14 access1 sshd[6277]: Connection closed by 172.24.241.234 access1# pkg_info | grep pam checkpassword-pam-0.99 Implementation of checkpassword authentication program nagios-spamd-plugin-1.4 Nagios plugin for checking SpamAssassins spamd p5-Mail-SpamAssassin-3.1.8_1 A highly efficient mail filter for identifying spam pam_ldap-1.8.2 A pam module for authenticating with LDAP pam_mkhomedir-0.1 Create HOME with a PAM module on demand pamtester-0.1.2 A command line pam authentication tester razor-agents-2.84 A distributed, collaborative, spam detection and filtering access1# pkg_info | grep ldap ldapsh-2.00_2,1 Interactive shell used to administer ldap directories nss_ldap-1.255 RFC 2307 NSS module openldap-client-2.3.37 Open source LDAP client implementation openldap-server-2.3.37 Open source LDAP server implementation p5-perl-ldap-0.34 A Client interface to LDAP servers pam_ldap-1.8.2 A pam module for authenticating with LDAP php5-ldap-5.2.3_1 The ldap shared extension for php access1# ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_ldap issues
Thierry Lacoste [EMAIL PROTECTED] writes: Hello, I have a very similar setting on 6.1 Maybe you have an ACL problem (see below). What does the following command give? ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W The command asks for an ldap password that I type but, the result is : ldap_bind: Invalid credentials (49). I've double checked the password and reinitialized the ldap database, but no change atm. -- BC désolé, mais j'ai pas pû m'empecher. On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore assez. -+- RM in http://www.le-gnu.net : En période de manque -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_ldap issues
Eric Masson [EMAIL PROTECTED] writes: Follow up to myself, sorry The command asks for an ldap password that I type but, the result is : ldap_bind: Invalid credentials (49). I've double checked the password and reinitialized the ldap database, but no change atm. I've rebuilt all ports, with no success until I created the /etc/pam.d/ldap file as stated in pam_ldap's pkg-message. It works fine now, and pam_mkhomedir creates home directory on first login. Sorry for the noise. -- MW Tss... Un cybermaquereau. On aura tout vu ! JdC Pourquoi pas ? Il doit bien exister des cybermorues. -+- in : http://www.le-gnu.net - Les joies du cybersexe -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_ldap issues
On Wednesday 04 July 2007 09:35, Eric Masson wrote: Thierry Lacoste [EMAIL PROTECTED] writes: Hello, I have a very similar setting on 6.1 Maybe you have an ACL problem (see below). What does the following command give? ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W The command asks for an ldap password that I type but, the result is : ldap_bind: Invalid credentials (49). I've double checked the password and reinitialized the ldap database, but no change atm. Simplify your slapd.conf as much as possible. When the above ldapsearch works throw in changes step by step. In particular you should probably start with ACLs like these: access to attrs=userPassword by anonymous auth by self write by * none access to * by * read Add loglevel 128 to your slapd.conf to log access control list processing. BTW what does ldapsearch -x -D cn=Manager, dc=interne, dc=example, dc=org -W give? Regards, Thierry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap issues
Hello, I'm trying to setup authentication via a ldap directory on a 6.2-p5 box. id queries regarding a ldap defined user using root or a local defined user work fine : [EMAIL PROTECTED]:~ id testuser uid=2000(testuser) gid=2000(test) groups=2000(test) [EMAIL PROTECTED]:~ id testuser uid=2000(testuser) gid=2000(test) groups=2000(test) testuser can't log on the box (authentication failed). The following message pops on the console : Jul 3 19:08:03 box login: pam_ldap: error trying to bind as user cn=testuser,ou=people,dc=interne,dc=example,dc=org (Invalid credentials) Openldap logs an error 49 (see attached file). It seems that nss works but not pam. ldap related configuration follows : /usr/local/etc/ldap.conf base dc=interne,dc=example,dc=org uri ldap://127.0.0.1:389/ logdir /var/log/ldap #debug 256 timeout 5 bind_timeout 5 bind_policy soft rootbinddn cn=Manager,dc=interne,dc=example,dc=org nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one nss_base_group ou=groups,dc=interne,dc=example,dc=org?one /usr/local/etc/ldap.conf /usr/local/etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb access to dn.base= by self write by * auth access to attrs=userPassword by self write by * auth access to attrs=shadowLastChange by self write by * auth access to * by * read by anonymous auth schemacheck on idletimeout 30 backend bdb databasebdb suffix dc=interne, dc=example, dc=org rootdn cn=Manager, dc=interne, dc=example, dc=org rootpw password checkpoint 1024 5 cachesize 1 directory /var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSIDeq index sambaPrimaryGroupSIDeq index sambaDomainName eq index default sub /usr/local/etc/openldap/slapd.conf /etc/pam.d/system # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass /etc/pam.d/system /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files /etc/nsswitch.conf Directory has been initialized with the following ldif file init.ldif dn: dc=interne,dc=example,dc=org dc: interne objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: interne.example.fr structuralObjectClass: domain dn: ou=groups,dc=interne,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: groups structuralObjectClass: organizationalUnit dn: ou=people,dc=interne,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: people structuralObjectClass: organizationalUnit dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org cn: testuser sn: Dummy objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount uid: testuser userPassword: testuser uidNumber: 2000 gidNumber: 2000 gecos: Test User loginShell: /bin/csh homeDirectory: /home/test structuralObjectClass: person dn: cn=test,ou=groups,dc=interne,dc=example,dc=org objectClass: top objectClass: posixGroup cn: test gidNumber: 2000 memberUid: test structuralObjectClass: posixGroup init.ldif
Re: pam_ldap issues
I have a very similar setting on 6.1 Maybe you have an ACL problem (see below). What does the following command give? ldapsearch -x -D cn=testuser,ou=people,dc=interne,dc=example,dc=org -W /usr/local/etc/ldap.conf base dc=interne,dc=example,dc=org uri ldap://127.0.0.1:389/ logdir /var/log/ldap #debug 256 timeout 5 bind_timeout 5 bind_policy soft rootbinddn cn=Manager,dc=interne,dc=example,dc=org BTW I think you can remove this one nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one nss_base_group ou=groups,dc=interne,dc=example,dc=org?one /usr/local/etc/ldap.conf /usr/local/etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath/usr/local/libexec/openldap moduleloadback_bdb access to dn.base= by self write by * auth access to attrs=userPassword by self write by * auth Replace this one with by anonymous auth access to attrs=shadowLastChange by self write by * auth access to * by * read by anonymous auth I think you sould also remove all the other above lines containing auth. schemacheck on idletimeout 30 backend bdb database bdb suffixdc=interne, dc=example, dc=org rootdncn=Manager, dc=interne, dc=example, dc=org rootpwpassword checkpoint1024 5 cachesize 1 directory /var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSIDeq index sambaPrimaryGroupSIDeq index sambaDomainName eq index default sub /usr/local/etc/openldap/slapd.conf HTH, Thierry. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problems sshing in remotely using pam_ldap
I have a system running 6.1-RELEASE, OpenLDAP 2.3.23, Pam-LDAP 1.80 and NSS-LDAP 1.249. I have a user, called testuser configured in LDAP. I can ssh [EMAIL PROTECTED] and it works no problem. If I try to ssh into the box from another host, it fails. What I see in the ssh debug during the failure is: login_get_lastlog: Cannot find account for uid 2000 This error confuses me because uid 2000 exists: # id 2000 uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) # id testuser uid=2000(testuser) gid=2000(testuser) groups=2000(testuser) So I really have no idea what it could be. I read something back from 2003 saying that something similar happened but it was due to incompatible ssh versions, but both localhost and the remote host are using v2, so that doesn't seem to be the issue. Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
nss_ldap/pam_ldap: problems binding
Hi, I've been trying to get my ldap authentication working, something I have done before with little issue, but this time around it is causing real pain. Pretty much the same problems Jan HREHO was having back in Febuary - http://lists.freebsd.org/pipermail/freebsd-questions/2006-February/112066.html I tried the suggested solution to that - moving the slapd startup script into /etc/rc.d, but that didn't help, same problem just further up in the boot process. Another possibility I came across was putting the line 'bind_policy soft' in /etc/ldap.conf (symlinked to /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf). This seemed to do the job, until I then tried to ssh onto localhost using an ldap user account. It failed with Apr 19 22:48:10 svr1 sshd[660]: nss_ldap: could not search LDAP server - Server is unavailable Apr 19 22:48:10 svr1 sshd[660]: fatal: login_get_lastlog: Cannot find account for uid 2000 Removing the bind_policy from the file then retrying, it worked fine. The second solution I tried was to change the slapd.sh file to just launch the deamon i.e. '/usr/local/libexec/slapd'. This seems to work, but it is very unelegent, and it may have knock on effects I am unaware of at this time. I'm more interested in getting the process right to set it up at this stage, rather than hacking away to get a working system (I'm working on a series of documents). I'm doing this on a virgin 6.0 installation, cvsuped with the latest ports, fresh install of openldap22, pam_ldap and nss_ldap. So the question is, is this a common problem, if not then what I am doing wrong to create it, if so then is there a more elequent solutions than hacking away at the startup script? The thread that suggests the bind_policy also mentions 'nss_reconnect_* parameters', which certainly sounds like it could be the answer, but I havn't been able to google anything about them. Cheers, Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap nss_ldap
pam_ldap, nss_ldap not found. -- GANBARE! NIPPON! Yahoo! JAPAN JOC OFFICIAL INTERNET PORTAL SITE PARTNER http://pr.mail.yahoo.co.jp/ganbare-nippon/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
baffled by pam_ldap
Friends, I've been struggling with pam_ldap for three days now and cannot see what I am doing wrong. I'm trying to use OpenLDAP for authentication, though I threw nss_ldap in for good measure. What's so baffling to me is that I can add a new user to the directory and verify its existence using id but SSH refuses to bind. Here's an excerpt from my /var/log/auth.log: May 12 16:46:28 static-host sshd[53253]: Illegal user testuser from 192.168.1.150 May 12 16:46:28 static-host sshd[53253]: Failed none for illegal user testuser from 192.168.1.150 port 53074 ssh2 May 12 16:46:28 static-host sshd[53255]: pam_ldap: error trying to bind (Invalid credentials) The debug log from pam_ldap says this: ldap_create ldap_url_parse_ext(ldapi://%2fvar%2frun%2fopenldap%2fldapi/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 9 ldap_connect_to_path: Trying /var/run/openldap/ldapi ldap_connect_timeout: fd: 9 tm: 30 async: 0 ldap_ndelay_on: 9 ldap_ndelay_off: 9 ldap_open_defconn: successful ldap_send_server_request ber_flush: 59 bytes to sd 9 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL wait4msg (timeout 30 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 0 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ldap_read: message type bind msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ldap_msgfree ldap_err2string and the second log created at the same time says: (identical to the previous log up to ldap_msgfree) ber_scanf fmt ({iaa}) ber: ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 1 new result: res_errno: 49, res_error: , res_matched: read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 49, res_error: , res_matched: ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string I'm guessing that this means that I can bind with my binddn but not with the uid=testuser. Meanwhile, nss_ldap seems to be working correctly, because an id on the same user returns: uid=1003(testuser) gid=0(wheel) groups=0(wheel) The nss_ldap.conf is symlinked to ldap.conf, which looks like this: host 127.0.0.1 base dc=swyc,dc=org uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap_version 3 binddn cn=proxyuser,dc=swyc,dc=org bindpw secret rootbinddn cn=Manager,dc=swyc,dc=org scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password SSHA nss_base_passwd ou=People,dc=swyc,dc=org?one nss_base_group ou=Group,dc=swyc,dc=org?one I can run ldapsearch and get the right data back: ldapsearch -H ldapi://%2fvar%2frun%2fopenldap%2fldapi/ -x -W -D cn=proxyuser,dc=swyc,dc=org ((objectClass=posixAccount) (uid=testuser)) dn: uid=testuser,ou=People,dc=swyc,dc=org uid: testuser cn: test user homeDirectory: /home/testuser uidNumber: 1003 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson gidNumber: 0 gecos: test user shadowLastChange: 12915 sn: testuser userPassword:: e1NTSEF9clM2c0xnR3dtSW5ybzNNUFUra0N2WFoydFZJUVZ0ZFE= loginShell: /bin/sh I'm a complete openldap neophyte, biting off more than I can chew for sure. However, I just know that if I don't get a directory operating now, I'll wish I had done it later, especially since my next project is to get open-xchange running. I apologize for pasting a bunch of logs into this message, but I've been staring at them all day. If you can tell me what should have caught my attention, that would be very helpful! Cheers, benjamin doherty chicago illinois
Re: baffled by pam_ldap
On Thu, May 12, 2005 at 05:11:03PM -0500, Benjamin J Doherty wrote: I've been struggling with pam_ldap for three days now and cannot see what I am doing wrong. I'm trying to use OpenLDAP for authentication, though I threw nss_ldap in for good measure. What's so baffling to me is that I can add a new user to the directory and verify its existence using id but SSH refuses to bind. I couldn't spot any references to pam.d/sshd anywhere else in your post. To allow sshd to authenticate via pam_ldap you need to have the lines: authsufficient pam_ldap.so no_warn try_first_pass account sufficient pam_ldap.so passwordsufficient pam_ldap.so no_warn try_first_pass I think just the auth line will do but the rest seem helpful too. To go a little further than that, I have my pam.d/passwd file configured: passwordsufficient pam_unix.so no_warn try_first_pass nullok passwordsufficient pam_ldap.so no_warn use_first_pass pam.d/system: authsufficient pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass nullok passwordsufficient pam_ldap.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pas You can apply the following patch to /usr/src/usr.bin/passwd/passwd.c to allow passwd to be used to change passwords via pam_ldap (it also works for pam_unix) (see http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/71290): ***BEGIN --- passwd.c.orig Wed Mar 9 03:20:02 2005 +++ passwd.cWed Mar 9 03:20:29 2005 @@ -120,9 +120,8 @@ pwd-pw_name); break; default: - /* XXX: Green men ought to be supported via PAM. */ - errx(1, - Sorry, `passwd' can only change passwords for local or NIS users.); + fprintf(stderr, Changing LDAP password for %s\n, + pwd-pw_name); } #define pam_check(func) do { \ ***END To use passwd you will also need to configure your /usr/local/etc/ldap.conf file by setting: pam_password exop and at the server-side set: password-hash to whatever you want (SMD5 is good!) in /usr/local/etc/openldap/slapd.conf. It took me a good deal of time and effort to bring all those things together and I have them sat in a non-publicly available wiki. You can find a very good tutorial which should cover most of this (I think) at http://books.blurgle.ca/read/book/1 -- unlike other tutorials this one is dedicated to FreeBSD (and I even got my name in the credits ;). chsh doesn't work so I came up with this very simple shell script (it's probably not great and no doubt could be greatly improved): *** BEGIN #!/bin/sh # is shell specified? if test ! $1; then echo Usage: $0 newshell exit 1 fi # is shell listed in /etc/shells? grep -w $1 /etc/shells /dev/null if test $? -ne 0; then echo That shell is not listed in /etc/shells. exit 1 fi # attempt modify user=`whoami` ldapmodify -D uid=$user,ou=People,dc=domain,dc=com -x -W - EOT dn: uid=$user,ou=People,dc=domain,dc=com changetype: modify replace: loginShell loginShell: $1 EOT if test $? -eq 0; then echo Shell changed successfully. else echo A problem occurred changing your shell. Please contact [EMAIL PROTECTED] for assistance. fi *** END To use that just place it over /usr/bin/chsh (WARNING! THIS COULD BE BAD! :) I hope that's some help. Good luck! -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x
I tried this one: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html and it emphatically does not work, and I followed it to the letter I think it has something to do with NSS only using SSL/port 636. so then I tried it with that added still no dice Help! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x
Hello Jon, Sunday, November 21, 2004, 3:16:27 PM, you wrote: JA I tried this one: JA http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html JA and it emphatically does not work, and I followed it to the letter I JA think it has something to do with NSS only using SSL/port 636. JA so then I tried it with that added still no dice I followed the above howto word by word too and it didn't work from the first try. So I made some searches, I think on pamldap or on openldap mailing lists, don't remember exactly, and found another explanation on how to set things up. As far as I remember, my problem was with ldap.conf and nss_ldap.conf files which reside in /usr/local/etc/. This files must be identical, so you may symlink them, as I did. After that everything started to work, in my case ssh through pam_ldap. Unfortunately, my detailed configs are at work, so if you won't find anything I'll post them on monday. -- Best regards, Cezarmailto:[EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Alsmost have NSS/PAM/LDAP... neew a lil help ( was Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x)
After much banging my head against the desk, I have it kinda working... I can su - to a user (from root) and get home directory... but... and I have tried PLAIN, CRYPT, and SSHA passwords... I cannot login, su - (when prompted for password), ssh in... here is a some of the conf files east# more /usr/local/etc/pam_ldap/ssh.conf host 127.0.0.1 port 389 base dc=all,dc=net ldap_version 3 ssl off tls_ciphers HIGH:MEDIUM:+SSLv2:RSA tls_checkpeer no pam_login_attribute uid east# cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the sshd service # # auth authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap/ssh.conf authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account sufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/pam_ldap/ssh.conf account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session sufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/pam_ldap/ssh.conf session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordsufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/pam_ldap/ssh.conf passwordrequiredpam_unix.so no_warn try_first_pass east# more /usr/local/etc/ldap.conf rootbinddb cn=Manager,dc=all,dc=net uri ldaps://69.17.104.19:636/ binddn cn=Manager,dc=all,dc=net ssl yes bindpw port 636 nss_base_passwd ou=People,dc=all,dc=net?one nss_base_group ou=Groups,dc=all,dc=net?one pam_password SSHA uname -a FreeBSD east 5.1-RELEASE FreeBSD 5.1-RELEASE #3: Tue Nov 9 22:43:42 GMT 2004 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/ORACLE i386 (I put in the oracle required changes and some TCP/IP related stuff) ./slapd -VV @(#) $OpenLDAP: slapd 2.2.18 (Nov 21 2004 02:33:07) $ [EMAIL PROTECTED]:/usr/ports/net/openldap22-sasl-server/work/openldap-2.2.18/servers/slapd sshd -v sshd version OpenSSH_3.6.1p1 FreeBSD-20030423 strings on slappasswd show the following are compiled in:: {SSHA} {CRYPT} {SHA} {MD5} {LANMAN} {SASL} {UNIX} {CLEARTEXT} Jon Adams wrote: I tried this one: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html and it emphatically does not work, and I followed it to the letter I think it has something to do with NSS only using SSL/port 636. so then I tried it with that added still no dice Help! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Looking for a good NSS/Pam_LDAP/Open LDAP how-to for 5.x
Cezar Fistik wrote: Hello Jon, Sunday, November 21, 2004, 3:16:27 PM, you wrote: JA I tried this one: JA http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html JA and it emphatically does not work, and I followed it to the letter I JA think it has something to do with NSS only using SSL/port 636. JA so then I tried it with that added still no dice I followed the above howto word by word too and it didn't work from the first try. So I made some searches, I think on pamldap or on openldap mailing lists, don't remember exactly, and found another explanation on how to set things up. As far as I remember, my problem was with ldap.conf and nss_ldap.conf files which reside in /usr/local/etc/. This files must be identical, so you may symlink them, as I did. After that everything started to work, in my case ssh through pam_ldap. I found this to be the case also I didnt think to symlink them though (Doh) Unfortunately, my detailed configs are at work, so if you won't find anything I'll post them on monday. would greatly appreciate it I cant get ssh logins (or any others) to work... really frustrating... Thanks... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
account management pam_ldap+nss_ldap
Hello all, I would greatly appreciate if someone could help me or point me to the right place to find a solution to the following problem. I have a system (5.3-release) configured to do user authentication through pam and ldap using map_ldap.so and nss_ldap.so. Everything is fine with that configuration, I am able to login, ssh and ftp to the system using users configured only in ldap with no problem. What I'm looking for is a way to manage these accounts, I mean to temporarily disable (locking) an account or a group of accounts, like pw lock username, set accounts expiration date and so on. I spent the last 2 days searching but found nothing, or maybe I was looking in wrong places? Please if someone did things like described above, help me. Actually, I'm most interested in disabling/enabling an ldap account/group without deleting it. I was trying to find a solution myself and have thought of following. To create an ldap schema file which will have an objectclass with the accountEnabled attribute (and maybe some others too). To include this objectclass for DNs containing users and somehow to create a filter in nss_ldap config file wich will do the filtering taking into account the accountEnabled flag. What do you think of this approach? I would appreciate any suggestions. Thanks, Cezar Fistik ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_ldap authentication based on pam_groupdn
Hi. Anyone have any insight on this? On 18-Oct-04, at 1:07 AM, Jason Lixfeld wrote: I'm wondering if someone can point out my error here. I've got PAM authenticating ssh users like so: authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass authrequiredpam_unix.so no_warn try_first_pass account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so debug account requiredpam_unix.so session requiredpam_permit.so passwordsufficient /usr/local/lib/pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf host 127.0.0.1 base dc=example,dc=com rootbinddn cn=proxyuser,dc=example,dc=com scope one #pam_filter objectclass=posixaccount #pam_login_attribute uid pam_groupdn cn=ssh,ou=groups,dc=example,dc=com pam_member_attribute memberuid pam_password SSHA nss_base_passwd ou=users,dc=example,dc=com?one nss_base_shadow ou=users,dc=example,dc=com?one nss_base_group ou=groups,dc=example,dc=com?one So I'm trying to permit users who are only members of the group ssh. As per this ldap entry below, this user should be the only one permitted to ssh in: dn: cn=ssh,ou=groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ssh gidNumber: 10009 memberUid: testuser.discord.ca This isn't working. This user, and any other user can ssh in, even without being a member of the ssh group. The check doesn't seem to be working and I'm not sure what I'm doing wrong. I have an nss_ldap.conf which pam queries also, but will a config explicitly configured as I have done above override the the nss_ldap.conf? Any ideas? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap authentication based on pam_groupdn
I'm wondering if someone can point out my error here. I've got PAM authenticating ssh users like so: authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/openldap/ldap-ssh.conf debug try_first_pass authrequiredpam_unix.so no_warn try_first_pass account requiredpam_login_access.so account sufficient /usr/local/lib/pam_ldap.so debug account requiredpam_unix.so session requiredpam_permit.so passwordsufficient /usr/local/lib/pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass bash-2.05b# cat /usr/local/etc/openldap/ldap-ssh.conf host 127.0.0.1 base dc=example,dc=com rootbinddn cn=proxyuser,dc=example,dc=com scope one #pam_filter objectclass=posixaccount #pam_login_attribute uid pam_groupdn cn=ssh,ou=groups,dc=example,dc=com pam_member_attribute memberuid pam_password SSHA nss_base_passwd ou=users,dc=example,dc=com?one nss_base_shadow ou=users,dc=example,dc=com?one nss_base_group ou=groups,dc=example,dc=com?one So I'm trying to permit users who are only members of the group ssh. As per this ldap entry below, this user should be the only one permitted to ssh in: dn: cn=ssh,ou=groups,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ssh gidNumber: 10009 memberUid: testuser.discord.ca This isn't working. This user, and any other user can ssh in, even without being a member of the ssh group. The check doesn't seem to be working and I'm not sure what I'm doing wrong. I have an nss_ldap.conf which pam queries also, but will a config explicitly configured as I have done above override the the nss_ldap.conf? Any ideas? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Pam_ldap
* Bret Walker [EMAIL PROTECTED] [1028 00:28]: I've been trying all day to get pam_ldap to authenticate an ssh session against Active Directory. I thought that I had found the perfect HOWTO (read: one that didn't require nss_ldap), but its instructions didn't seem to get it working on my system. I've read that can authenticate to AD with pam_ldap alone, and I've read that you can't, as well. Does anyone have any experience doing this w/o nss_ldap. I'm running 4.10, and I don't think it has support for nss_ldap. If anyone has any advice, I'd love to hear it. You're not going to need nss_ldap if you just want to validate a password. But it sounds a bit odd to have existing users in /etc/passwd and only have the password itself from AD - and if the users don't exist in /etc/passwd the system won't be able to log them in. What was the howto you used? -- I think it is true for all _n. I was just playing it safe with _n = 3 because I couldn't remember the proof. -- Baker, Pure Math 351a Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Pam_ldap
Right, basically this is doing what I thought - just checking passwords in AD without looking up user info, so the accounts need to exist on the bsd server (that may become a real pain in the arse, by the way). couple of quick checks; 1) the ldap.conf referred to should be /usr/local/etc/ldap.conf *NOT* /etc/openldap/ldap.conf 2) can you log onto the console as these users? If you're sshing you may need to edit /etc/pam.d/sshd, and not login. 3) what's in your logs? If you have the 'debug' flag on, something will be getting written to - check /var/log/secure and /var/log/messages * Bret Walker [EMAIL PROTECTED] [1043 13:43]: It is here: http://www.netsys.com/pamldap/2002/04/msg00074.html Thanks, Bret -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Davies Sent: Friday, October 01, 2004 4:31 AM To: Bret Walker Cc: FreeBSD Questions Subject: Re: Pam_ldap * Bret Walker [EMAIL PROTECTED] [1028 00:28]: I've been trying all day to get pam_ldap to authenticate an ssh session against Active Directory. I thought that I had found the perfect HOWTO (read: one that didn't require nss_ldap), but its instructions didn't seem to get it working on my system. I've read that can authenticate to AD with pam_ldap alone, and I've read that you can't, as well. Does anyone have any experience doing this w/o nss_ldap. I'm running 4.10, and I don't think it has support for nss_ldap. If anyone has any advice, I'd love to hear it. You're not going to need nss_ldap if you just want to validate a password. But it sounds a bit odd to have existing users in /etc/passwd and only have the password itself from AD - and if the users don't exist in /etc/passwd the system won't be able to log them in. What was the howto you used? -- Yeah, life is hilariously cruel. - Bender Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Pam_ldap
* Bret Walker [EMAIL PROTECTED] [1023 15:23]: I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf The one in /etc isn't doing anything, so get rid of it. The /usr/local/etc/ldap.conf should be holding the ad stuff (what user to bind as , etc). I am able to log into the console as these users using the local password, but not using the ldap password. All of my pam info is in /etc/pam.conf, I don't have /etc/pam.d. Then you're on 4.X right? Shouldn't stop this working. sshd authsufficient pam_skey.so sshd authsufficient pam_opie.so no_fake_prompts sshd authsufficient pam_unix.so try_first_pass sshd authsufficient /usr/local/lib/pam_ldap.so try_first_pass debug sshd account requiredpam_unix.so sshd passwordrequiredpam_permit.so sshd session requiredpam_permit.co All I see in the logs are messages saying: error: PAM: User not known to the underlying authentication module Right, so sshd is using pam. That's something. The error could mean several things, one of which is that the user doesn't exist. If you look through your ldap.conf, you should have enough info to pretend to be PAM. use ldapsearch and try ldapsearch -H ldap://host from ldap.conf -D binddn from ldap.conf -W \ pam_login_attribute from ldap.conf=username and enter the bindpw from ldap.conf If you don't get the AD account back, then your ldap.conf is screwed. I'm pretty sure the ldap.conf files are correct, because I've followed the instructions from several places to the T. The nice thing about definitive LDAP howtos is there are so many to choose from :) -- You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Pam_ldap
The query you gave me worked. I was able to see real name, home dir, ect. I'm assuming since I can get that info, that I should be able to verify a password too. In my /usr/local/etc/ldap.conf file, I had binddb not bingdn. Upon changing this, I now get a different pam error. It says: error: PAM: Authentication failure One step closer.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Davies Sent: Friday, October 01, 2004 9:41 AM To: Bret Walker Cc: FreeBSD Questions Subject: Re: Pam_ldap * Bret Walker [EMAIL PROTECTED] [1023 15:23]: I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf The one in /etc isn't doing anything, so get rid of it. The /usr/local/etc/ldap.conf should be holding the ad stuff (what user to bind as , etc). I am able to log into the console as these users using the local password, but not using the ldap password. All of my pam info is in /etc/pam.conf, I don't have /etc/pam.d. Then you're on 4.X right? Shouldn't stop this working. sshd authsufficient pam_skey.so sshd authsufficient pam_opie.so no_fake_prompts sshd authsufficient pam_unix.so try_first_pass sshd authsufficient /usr/local/lib/pam_ldap.so try_first_pass debug sshd account requiredpam_unix.so sshd passwordrequiredpam_permit.so sshd session requiredpam_permit.co All I see in the logs are messages saying: error: PAM: User not known to the underlying authentication module Right, so sshd is using pam. That's something. The error could mean several things, one of which is that the user doesn't exist. If you look through your ldap.conf, you should have enough info to pretend to be PAM. use ldapsearch and try ldapsearch -H ldap://host from ldap.conf -D binddn from ldap.conf -W \ pam_login_attribute from ldap.conf=username and enter the bindpw from ldap.conf If you don't get the AD account back, then your ldap.conf is screwed. I'm pretty sure the ldap.conf files are correct, because I've followed the instructions from several places to the T. The nice thing about definitive LDAP howtos is there are so many to choose from :) -- You may need to metaphorically make a deal with the devil. By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Pam_ldap
I've been trying all day to get pam_ldap to authenticate an ssh session against Active Directory. I thought that I had found the perfect HOWTO (read: one that didn't require nss_ldap), but its instructions didn't seem to get it working on my system. I've read that can authenticate to AD with pam_ldap alone, and I've read that you can't, as well. Does anyone have any experience doing this w/o nss_ldap. I'm running 4.10, and I don't think it has support for nss_ldap. If anyone has any advice, I'd love to hear it. Thanks, Bret PS - The instructions I followed are here: http://www.netsys.com/pamldap/2002/04/msg00074.html Bret Walker Technical Support Consultant Medill School of Journalism Northwestern University 847-467-7845 847-491-2370 fax [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Setting up pam_ldap nss_ldap
On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. Thanks! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting up pam_ldap nss_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 2 Sep 2004, Curtis Vaughan wrote: On 5.3-Beta I have installed pam_ldap and nss_ldap. Then I edited the following files: /usr/local/etc/ldap.conf /etc/nsswitch.conf files within /etc/pam.d particularly /etc/pam.d/ldap and ./sshd and ./su /usr/local/etc/nss_ldap.conf I think that's it. I can provide each of those files if necessary. Nonetheless authentication for users not local to this system is not occurring (which would normally occur for me under Linux). I have tried authenticating the following ways: 1) through ssh; 2) through su. I have noticed, however, that the way I do this under Linux is not the same as for FreeBSD. So, it's quite possible that I have left something out. Anyhow, I would appreciate any input into what needs to be configured to get this to work. i have a FreeBSD-5.2.1 system that provides ssh logins based on LDAP accounts via nss_ldap and pam_ldap. it works perfectly. /etc/nsswitch.conf - --- passwd: files [NOTFOUND=continue] ldap group: files [NOTFOUND=continue] ldap shells: files hosts: files dns - --- /etc/pam.d/sshd - --- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.sono_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.sono_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass debug auth required pam_unix.sono_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.sono_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so use_authok password required pam_unix.sono_warn try_first_pass - --- /usr/local/etc/nss_ldap.conf (without TLS stuff) - --- host ldap1.example.com ldap2.example.com base dc=example,dc=com ldap_version 3 port 389 scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one # debug testing #logdir /var/log #debug 9 - --- i use the same configuration for pam_ldap and nss_ldap, so create a symlink to /usr/local/etc/nss_ldap.conf for /usr/local/etc/ldap.conf or make an exact copy. all other entries in nss_ldap are commented out for me. Don't forget to change dc=example,dc=com and ldap1.example.com ldap2.example.com to your values. there is no need for a .secret file for pam_ldap or nss_ldap. to be clear, if you set a rootbinddn or binddn which has the right to read the userPassword attribute, a getpwent(3) call would return all password hashes which is surely not what you want. the better way is to let nss_ldap only return the account information without the password and let pam_ldap try to bind as the users dn with the submitted password. another point is, that the whole pam_ldap stuff can be skipped if you use a binddn or rootbinddn with nss_ldap and this dn is allowed to read the userPassword attribute as the password is available to pam_unix and makes authentication possible. but remember the risk that someone is able to use getpwent(3) to get all password hashes that are stored in LDAP. if it's still not working for you, uncomment the logdir and debug line in nss_ldap.conf and, if not symlinked, in ldap.conf too. after trying a new login you will find a file ldap.PID in the directory specified as logdir. the whole LDAP lookup and LDAP bind phase is written to this file so one can analyze whats working or not. feel free to ask again if you still have problems. regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBN3Z1SPOsGF+KA+MRAiqCAKDBJnLfyxzvDznyFqK0y5Nc7zreaQCgo2Tq EA/iC/hSxEjtrBwnaBoIXAU= =GlqU -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap instructions
I just installed the pam_ldap port and receive the following instructions at the end of the install, I have 5.2-RELEASE and not sure which instruction to follow regarding enabling login: Copy /usr/local/etc/ldap.conf.dist to /usr/local/etc/ldap.conf, then edit /usr/local/etc/ldap.conf in order to use this module. Add a line similar to the following to /etc/pam.conf on -STABLE, or create an /etc/pam.d/ldap on -CURRENT with a line similar to the following: login authsufficient /usr/local/lib/pam_ldap.so -- Robert ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_ldap instructions
On Fri, 2004-01-23 at 21:08, Robert Fitzpatrick wrote: I just installed the pam_ldap port and receive the following instructions at the end of the install, I have 5.2-RELEASE and not sure which instruction to follow regarding enabling login: Copy /usr/local/etc/ldap.conf.dist to /usr/local/etc/ldap.conf, then edit /usr/local/etc/ldap.conf in order to use this module. Add a line similar to the following to /etc/pam.conf on -STABLE, or create an /etc/pam.d/ldap on -CURRENT with a line similar to the following: login authsufficient /usr/local/lib/pam_ldap.so Perhaps I need to rephrase that. You need to follow the -CURRENT instructions. That is, create an /etc/pam.d/ldap file with the contents above. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: problems with pam_ldap - ssh and file attributes
Dan Nelson wrote: /bin/ls is linked statically, which means it only knows about compat, files, nis, and dns; you can build a dynamic one, or step up and write Ahh, thank you for this explanation. :-) There are other strange things with -CURRENT and LDAP-setup: I have jdk13 running on the machine (Hotspot enabled) and any User from the LDAP-directory could start java only once, all further attempts fail. For local users there is no such problem. cu, Uwe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with pam_ldap - ssh and file attributes
Since nobody responded I will do it myself :-). Further investigation shown that the problem with connecting via ssh was only with the Putty client. Normal command line ssh from another unix host worked fine. The Google search found one message targeting this problem. The solution is to use ssh2 protocol instead of ssh1. I have experienced crashes of Putty v. 0.52 when using ssh2 but after upgrading to version 0.53b everything works fine. Nevertheless the problem with file attributes persists. Mira Original message follows Hi, I just suceeded to install and configure pam_ldap authentication on my 5.1Release box. Everything seems to work fine (ftp, telnet, samba, ...) except for ssh. Any attempt to login (as user whose account is defined in the LDAP directory) from a remote host using ssh end up with the error message: Access denied. For users registered in /etc/passwd the ssh works fine. There is no problem when login via telnet, ftp works fine as well but the ssh doesn't. The /etc/pam.d/sshd looks like: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_ldap.so debug try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_login_access.so account sufficient pam_ldap.so debug account requiredpam_unix.so # session session requiredpam_permit.so # password passwordsufficient pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass -- Another problem is that commands like ls displays uid and gid as numbers for files owned by LDAP users. On the other hand ftp displays them correctly. Any ideas how to fix that (especially in case of ssh) would be really helpfull. Thanks Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CVS pserver and pam_ldap
Hi, I have problem to make cvs server (version 1.11.5 - the one which gets installed as a part of 5.1 R) to authenticate users via pam_ldap. Is there anybody who successfully runs this combination or at least knows whether the cvs supports PAM authentication? Any help would be really appreciated ! Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with pam_ldap - ssh and file attributes
[EMAIL PROTECTED] wrote: Nevertheless the problem with file attributes persists. I have the same problem here. I guess that 'ls' doesn't care about nsswitch?! cu, Uwe ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with pam_ldap - ssh and file attributes
In the last episode (Oct 08), Uwe Laverenz said: [EMAIL PROTECTED] wrote: Nevertheless the problem with file attributes persists. I have the same problem here. I guess that 'ls' doesn't care about nsswitch?! /bin/ls is linked statically, which means it only knows about compat, files, nis, and dns; you can build a dynamic one, or step up and write an nscd daemon that static binaries can connect to for nss lookups :) -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
problems with pam_ldap - ssh and file attributes
Hi, I just suceeded to install and configure pam_ldap authentication on my 5.1Release box. Everything seems to work fine (ftp, telnet, samba, ...) except for ssh. Any attempt to login (as user whose account is defined in the LDAP directory) from a remote host using ssh end up with the error message: Access denied. For users registered in /etc/passwd the ssh works fine. There is no problem when login via telnet, ftp works fine as well but the ssh doesn't. The /etc/pam.d/sshd looks like: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_ldap.so debug try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_login_access.so account sufficient pam_ldap.so debug account requiredpam_unix.so # session session requiredpam_permit.so # password passwordsufficient pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass -- Another problem is that commands like ls displays uid and gid as numbers for files owned by LDAP users. On the other hand ftp displays them correctly. Any ideas how to fix that (especially in case of ssh) would be really helpfull. Thanks Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_ldap error
Beste freebsd-questions, My aim is to setup a samba PDC and BDC server for a windows network and integrate the password database. So that any change will also reflect the other OS. To avoid changing the password two times, or adding a user twice. And now i got an error from the pam_ldap module telling me it cannot bind as a user that does exist. Any idea what i did wrong? I have done this according to the how-to: http://samba.idealx.org/dist/samba-ldap-howto.pdf. I'm not at chapter 5 and am stuck. I have installed OpenLDAP 2.0 and pam_ldap. Have setup the database as follow: dc=domain,dc=org | `--- ou=Users | `--- ou=Computers | `--- ou=Groups I have modified /etc/pam.conf for login only first: login authsufficient pam_skey.so login authrequisite pam_cleartext_pass_ok.so #login authsufficient pam_kerberosIV.so try_first_pass login authsufficient pam_ldap.so try_first_pass login authsufficient pam_unix.so try_first_pass login authrequiredpam_deny.so login account sufficient pam_ldap.so login account sufficient pam_unix.so login account requiredpam_deny.so login password required pam_permit.so login session requiredpam_permit.so And modified /usr/local/etc/ldap.conf = /usr/local/etc/openldap/ldap.conf (link, same fs) # Your LDAP server. Must be resolvable without using LDAP. URI ldap://127.0.0.1 # The distinguished name of the search base. base dc=kruij557,dc=speed,dc=planet,dc=nl ldap_version 2 # we use ?sub (and not the default ?one) because we # separated sambaAccounts on ou=Computers,dc=IDEALX,dc=org # and ou=Users,dc=IDEALX,dc=org nss_base_passwd dc=kruij557,dc=speed,dc=planet,dc=nl?sub nss_base_shadow dc=kruij557,dc=speed,dc=planet,dc=nl?sub nss_base_group ou=Groups,dc=kruij557,dc=speed,dc=planet,dc=nl?one ssl no pam_password md5 I have set the default access to the openldap database to write. When i try to connect as the newly installed user 'test' then i get the following error: (out over /messages) Jul 11 20:15:27 Intranet login: pam_ldap: error trying to bind as user uid=test,ou=Users,dc=domain,dc=com (Invalid credentials) #slapcat dn: uid=test,ou=Users,dc=domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: test uid: test uidNumber: 1000 gidNumber: 100 homeDirectory: /home/test loginShell: /bin/sh gecos: System User description: System User creatorsName: cn=Manager,dc=domain,dc=com createTimestamp: 20020711123408Z modifiersName: cn=Manager,dc=domain,dc=com modifyTimestamp: 20020711123408Z userPassword:: e1NTSEF9WFF0OTVJNy9iaklYdHovQjFBNk5oQ3c0Y2tCemlSRWI= -- Met vriendelijke groet, Alex To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message