auth.log error with nss-pam-ldapd in LDAP client

Reply: Souji Thenria : "Re: auth.log error with nss-pam-ldapd in LDAP client"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rocky Hotas <rockyhotas_at_post.com>
Date: Mon, 08 Jan 2024 12:49:59 UTC

Hello!
I am trying to configure the package nss-pam-ldapd in FreeBSD
14.0-RELEASE to have an LDAP client and LDAP authentication on a host
examplehost. The same host is also the LDAP server and it is running
openldap26-server-2.6.6. I followed all the steps related to FreeBSD
in the package author's documentation:

 <https://arthurdejong.org/nss-pam-ldapd/setup>

(or at least I hope so!). If I run:

$ ldapsearch -x -b 'dc=examplehost,dc=domain' '(objectclass=*)'

I obtain some of the items stored in the LDAP database (even if not all
of them: is this normal?). So, the client somehow seems to work.

But there are two oddities.

1) In the output of `getent passwd' the LDAP users are listed, but this
is a local user entry:

localuser:*:1001:1001:Local User:/home/localuser:/bin/csh

while this is an LDAP user entry:

ldapuser:x:10001:10001:LDAP User:/home/ldapuser/:/usr/bin/csh

The second field is a `*' in the first case, while it is `x' in the
second case. Is this relevant?

Users are stored in the LDAP database as

objectClass: posixAccount
objectClass: shadowAccount

and their passwords are stored in the user entry as

userPassword: {SSHA}<some_string>

2) I tried to configure /etc/pam.d/sshd for LDAP authentication as
follows:

auth            sufficient      /usr/local/lib/pam_ldap.so      minimum_uid=10000 use_first_pass
auth            required        pam_unix.so                     no_warn try_first_pass

account         required        pam_nologin.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so      minimum_uid=10000
account         required        pam_unix.so

session         required        /usr/local/lib/pam_mkhomedir.so
session         required        pam_permit.so

password        required        pam_unix.so             no_warn try_first_pass

Despite this, if I try to log into the system remotely as an LDAP user,

$ ssh ldapuser@examplehost
(ldapuser@examplehost) Password for ldapuser@examplehost:

even before typing the password, in /var/log/auth.log of examplehost
this line appears:

Jan  8 13:30:45 examplehost sshd[34445]: failed to get password: Authentication error

How is it possible? What is wrong with this configuration? With
openldap24-client this /etc/pam.d/sshd worked.

Bye!

Rocky