Hey all,
I've been pounding my head against a screen for a few days trying to figure this one out- and pounding on Google like a madman.
I'm running a few FreeBSD 6.2 servers, one with OpenLDAP 2.2. I have the PADL nss_ldap and pam_ldap modules installed, and I have configured PAM. I've been using the LDAP directory for many things- groupware, forums, wiki, etc, running on the web server, which is separate from the LDAP host, so I know that I can connect.
I can do an "ldapsearch -D -W -x" on all the servers. I can do "getent passwd" and see the LDAP users there.
I can su to an LDAP user. I see the ldap users/groups when doing an "ls -l" (mostly, more on that later).
But I can not SSH into the servers as an LDAP user. Here's what happens: if I "ssh avishai@login" I get a normal password prompt. If I enter the wrong password for that user, I get another prompt, with the message:
"Jan 27 10:47:12 login sshd[4497]: pam_ldap: error trying to bind as user "uid=avishai,ou=Users,dc=cwssoftware,dc=com" (Invalid credentials)"
"Jan 27 11:04:40 login sshd[4570]: error: PAM: authentication error for avishai from cool-device.cws.local"
in /var/log/messages.
If I enter the correct password, I get this prompt:
Old Password:
I have tried every possible password here- empty, correct, wrong- to no avail. /var/log/messages shows this:
"Jan 27 11:05:11 login sshd[4570]: error: PAM: permission denied for avishai from cool-device.cws.local"
Again, I can authenticate as this user on the LDAP server (through phpldapadmin and all others), and the different messages and behavior makes me know that I am talking to the LDAP server-and authenticating to some degree! My ldap.conf is linked to nss_ldap.conf, both in /usr/local/etc. TLS makes no difference, I've tried it on and off.
As to the nss, I get a bit of strangeness. As root, I see all the LDAP users and groups. As a normal user, I see only the ID numbers. /etc/nsswitch.conf has 644 permissions, so the normal user should be able to read the file. Last, and maybe helpful, is that I periodically get a message:
"Jan 27 10:35:00 login cron[4404]: nss_ldap: could not search LDAP server - Server is unavailable"
when I know the server IS available. Especially as NSS is working with LDAP more or less, this has me baffled. I'm an amateur sysadmin, so I'm not sure where to look for this particular cron job, but the message is wrong, if not just misleading.
My pam.d/sshd file is below:
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so try_first_pass
auth required pam_unix.so no_warn try_first_pass
#auth required pam_deny.so try_first_pass
# account
#account required pam_krb5.so
#account required pam_login_access.so
account required pam_unix.so
#account required /usr/local/lib/pam_ldap.so
# session
#session optional pam_ssh.so
session sufficient /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
#password sufficient /usr/local/lib/pam_ldap.so debug
password required pam_unix.so no_warn try_first_pass
Any help is much appreciated!
