Pam_ldap
Bret Walker
bret-walker at northwestern.edu
Fri Oct 1 07:59:37 PDT 2004
The query you gave me worked. I was able to see real name, home dir, ect.
I'm assuming since I can get that info, that I should be able to verify a
password too.
In my /usr/local/etc/ldap.conf file, I had binddb not bingdn. Upon
changing this, I now get a different pam error.
It says:
"error: PAM: Authentication failure"
One step closer..
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Dick Davies
Sent: Friday, October 01, 2004 9:41 AM
To: Bret Walker
Cc: FreeBSD Questions
Subject: Re: Pam_ldap
* Bret Walker <bret-walker at northwestern.edu> [1023 15:23]:
> I have ldap.conf in /etc/ and in /usr/local/etc/ldap.conf
The one in /etc isn't doing anything, so get rid of it.
The /usr/local/etc/ldap.conf should be holding the ad stuff
(what user to bind as , etc).
> I am able to log into the console as these users using the local
> password, but not using the ldap password. All of my pam info is in
> /etc/pam.conf, I don't have /etc/pam.d.
Then you're on 4.X right? Shouldn't stop this working.
>
> sshd auth sufficient pam_skey.so
> sshd auth sufficient pam_opie.so no_fake_prompts
> sshd auth sufficient pam_unix.so try_first_pass
> sshd auth sufficient /usr/local/lib/pam_ldap.so
> try_first_pass debug
> sshd account required pam_unix.so
> sshd password required pam_permit.so
> sshd session required pam_permit.co
>
>
> All I see in the logs are messages saying:
> "error: PAM: User not known to the underlying authentication module"
Right, so sshd is using pam. That's something.
The error could mean several things, one of which is that the user doesn't
exist.
If you look through your ldap.conf, you should have enough info to
pretend to be PAM.
use ldapsearch and try
ldapsearch -H "ldap://<host from ldap.conf> -D "<binddn from ldap.conf>"
-W \
<pam_login_attribute from ldap.conf>=username
and enter the bindpw from ldap.conf
If you don't get the AD account back, then your ldap.conf is screwed.
> I'm pretty sure the ldap.conf files are correct, because I've followed
> the instructions from several places to the T.
"The nice thing about definitive LDAP howtos is there are so many to
choose from" :)
--
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your
coat. - Bender Rasputin :: Jack of All Trades - Master of Nuns
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3046 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041001/321aab8b/smime.bin
More information about the freebsd-questions
mailing list