Re: auth.log error with nss-pam-ldapd in LDAP client
- Reply: Rocky Hotas : "Re: auth.log error with nss-pam-ldapd in LDAP client"
- In reply to: Rocky Hotas : "auth.log error with nss-pam-ldapd in LDAP client"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jan 2024 18:19:03 UTC
On 1/8/24 12:49, Rocky Hotas wrote: > Hello! > I am trying to configure the package nss-pam-ldapd in FreeBSD > 14.0-RELEASE to have an LDAP client and LDAP authentication on a host > examplehost. The same host is also the LDAP server and it is running > openldap26-server-2.6.6. I followed all the steps related to FreeBSD > in the package author's documentation: > > <https://arthurdejong.org/nss-pam-ldapd/setup> >Hey Rocky, > (or at least I hope so!). If I run: > > $ ldapsearch -x -b 'dc=examplehost,dc=domain' '(objectclass=*)' > > I obtain some of the items stored in the LDAP database (even if not all > of them: is this normal?). So, the client somehow seems to work. > If you run the command like this, the query is executed using anonymous bind, and based on your configured ACLs, it might limit what you can see. Additionally, I think the default depth for 'ldapsearch' is 2 (but I'm not sure about this). > But there are two oddities. > > 1) In the output of `getent passwd' the LDAP users are listed, but this > is a local user entry: > > localuser:*:1001:1001:Local User:/home/localuser:/bin/csh > > while this is an LDAP user entry: > > ldapuser:x:10001:10001:LDAP User:/home/ldapuser/:/usr/bin/csh > > The second field is a `*' in the first case, while it is `x' in the > second case. Is this relevant? > That's to be expected. The user you use to query the LDAP directory properly has no access to the 'userPassword' attribute of every user; that's why you don't see any passwords for the LDAP users. > Despite this, if I try to log into the system remotely as an LDAP user, > > $ ssh ldapuser@examplehost > (ldapuser@examplehost) Password for ldapuser@examplehost: > > even before typing the password, in /var/log/auth.log of examplehost > this line appears: > > Jan 8 13:30:45 examplehost sshd[34445]: failed to get password: Authentication error > > How is it possible? What is wrong with this configuration? With > openldap24-client this /etc/pam.d/sshd worked. > I'm not sure about this, but if I remember correctly, there is also another PAM module you need in order to authenticate a user against the LDAP directory. The nss-pam-ldapd is only to query data for the NSS. Regards, Souji -- Souji Thenria