Hey all,
I've been pounding my head against a screen for a few weeks trying to figure
this one out- and pounding on Google like a madman.
I'm running a few FreeBSD 6.2 servers, one with OpenLDAP 2.2. I have the
PADL nss_ldap and pam_ldap modules installed, and I have configured PAM.
I've been using the LDAP directory for many things- groupware, forums, wiki,
etc, running on the web server, which is separate from the LDAP host, so I
know that I can connect.
I can do an "ldapsearch -D -W -x" on all the servers. I can do "getent
passwd" and see the LDAP users there.
I can su to an LDAP user. I see the ldap users/groups when doing an "ls -l"
(mostly, more on that later).
But I can not SSH into the servers as an LDAP user. Here's what happens: if
I "ssh avishai@login" I get a normal password prompt. If I enter the wrong
password for that user, I get another prompt, with the message:
"Jan 27 10:47:12 login sshd[4497]: pam_ldap: error trying to bind as user
"uid=avishai,ou=Users,dc=cwssoftware,dc=com" (Invalid credentials)"
"Jan 27 11:04:40 login sshd[4570]: error: PAM: authentication error for
avishai from cool-device.cws.local"
in /var/log/messages.
If I enter the correct password, I get this prompt:
Old Password:
I have tried every possible password here- empty, correct, wrong- to no
avail. /var/log/messages shows this:
"Jan 27 11:05:11 login sshd[4570]: error: PAM: permission denied for avishai
from cool-device.cws.local"
Again, I can authenticate as this user on the LDAP server (through
phpldapadmin and all others), and the different messages and behavior makes
me know that I am talking to the LDAP server-and authenticating to some
degree! My ldap.conf is linked to nss_ldap.conf, both in /usr/local/etc. TLS
makes no difference, I've tried it on and off.
As to the nss, I get a bit of strangeness. As root, I see all the LDAP users
and groups. As a normal user, I see only the ID numbers. /etc/nsswitch.conf
has 644 permissions, so the normal user should be able to read the file.
Last, and maybe helpful, is that I periodically get a message:
"Jan 27 10:35:00 login cron[4404]: nss_ldap: could not search LDAP server -
Server is unavailable"
when I know the server IS available. Especially as NSS is working with LDAP
more or less, this has me baffled. I'm an amateur sysadmin, so I'm not sure
where to look for this particular cron job, but the message is wrong, if not
just misleading.
My pam.d/sshd file is below:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so try_first_pass
auth required pam_unix.so no_warn
try_first_pass
#auth required pam_deny.so try_first_pass
# account
#account required pam_krb5.so
#account required pam_login_access.so
account required pam_unix.so
#account required /usr/local/lib/pam_ldap.so
# session
#session optional pam_ssh.so
session sufficient /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
#password sufficient /usr/local/lib/pam_ldap.so debug
password required pam_unix.so no_warn
try_first_pass
Any help is much appreciated!
Charlie Sibbach
CWS Software
