On 23-May-06, at 8:48 PM, Atom Powers wrote:
On 5/23/06, Jason Lixfeld <jason+lists.freebsd-
[EMAIL PROTECTED]> wrote:
I'm using openssh-portable and the latest versions of openldap,
pam_ldap and nss_ldap. It appears as though the system is using
...
I'm not using ssh-portable, but I have it working with the built-in
ssh.
built-in works? Interesting. Reason I'm using -portable was because
I read that the built-in ssh didn't support PAM.
I will try the built-in and see what happens.
...
user password, even after I enter it in. I tried putting the
pam_ldap lib in the password section of the /etc/pam.d/sshd file, but
that was useless too. Local users can ssh in fine.
The pam.d config would be my first guess. What gets logged to all.log?
I have no all.log currently. The only thing showing up in messages
though is:
May 23 18:48:00 ricky slapd[7745]: nss_ldap: could not search LDAP
server - Server is unavailable
That error seems to creep up only when I restart slapd though.
I searched through the bugs and it seems there is a bug in nss_ldap
with regards to getpwuid, but that seems to be more if an indicator
about why finger doesn't work, not why ssh does't work
# id testuser seems to work, finger doesn't. Curious. Anyway, it
still appears as though at least some portions of the system are
using LDAP, which is good.
$ id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
$ finger testuser
finger: testuser: no such user
$
id works because it's using the name service to look up the user (you
added ldap to your nsswitch.conf, right?)
finger doesn't work because you don't have a /etc/pam.d/finger file.
Either create one or add pam_ldap to your /etc/pam.d/system file. (I
always create a new conf file for my ldap enabled apps)
Interesting. Finger *did* work during some of my first attempts at
getting this working. I changed something (I don't recall what) and
then finger stopped working.
Here is my /etc/pam.d/sshd file, I use the exact same file for all my
ldap enabled apps.:
(if somebody sees a bug in there, or can suggest any improvement, by
all means let me know.)
--
# auth
auth sufficient /usr/local/lib/pam_ldap.so
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account sufficient /usr/local/lib/pam_ldap.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
This seems to all work now with built-in ssh. How strange.
Now, I seem to have hit another snag and a bug (Both of which I
remember reading about this in my travels:)
$id testuser
id: testuser: no such user
# sudo su
Password:
# id testuser
uid=2000(testuser) gid=2000(testuser) groups=2000(testuser)
# cd ~testuser
# pwd
/usr/home/testuser
#ssh [EMAIL PROTECTED]
%id testuser
id: testuser: no such user
%pwd
/usr/home/testuser
%ls -al
Assertion failed: (cfg->ldc_uris[__session.ls_current_uri] != NULL),
function do_init, file ldap-nss.c, line 1193.
Abort (core dumped)
%
--
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"