Trouble with LDAP-authentication to Apple Open Directory
Aleksander Steffensen
post at stmm.no
Thu May 26 12:13:34 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
Yesterday I finally managed to get my FreeBSD 8.2-STABLE box to actually authenticate to the Xserve, running Open Directory on Mac OS X 10.5 Server. I was able to log in to the FreeBSD box (egil.kreativsone.no) as a directory user via SSH and also via netatalk.
Unfortunately, after a while, it stopped working. I can't remember doing anything at all... As far as I know, I made no changes in the configuration neither on the Xserve nor on the FreeBSD box. This is what happens when I try to log in via SSH.
> mp-aleks:~ aleksander$ ssh alekstef at egil.kreativsone.no
> Password:
> alekstef at egil.kreativsone.no's password:
> Connection closed by 192.168.3.6
Notice that I enter the password once, and then it asks for the password once more, but it won't accept the password. Here is the auth.log on egil.kreativsone.no:
> May 26 13:18:24 egil sshd[5347]: error: PAM: user account has expired for alekstef from 192.168.3.16
> May 26 13:18:28 egil sshd[5347]: Failed password for alekstef from 192.168.3.16 port 62114 ssh2
I know for a fact that the user account is not expired in Open Directory. I have also checked the logs on the Xserve, but can't find anything relevant to the problem, so I assume the problem is on the FreeBSD-box. Here's the part of my nss_ldap.conf file on egil.kreativsone.no, that is not commented out. Everything else is the default:
> host jangunnar.kreativsone.no
> base dc=jangunnar,dc=kreativsone,dc=no
>
> ldap_version 3
> port 389
> scope one
> bind_policy soft
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
>
> pam_groupdn cn=lagring,cn=groups,dc=jangunnar,dc=kreativsone,dc=no
> pam_member_attribute memberUid
>
> pam_password crypt
> nss_base_passwd cn=users,dc=jangunnar,dc=kreativsone,dc=no?one
> nss_base_shadow cn=users,dc=jangunnar,dc=kreativsone,dc=no?one
> nss_base_group cn=groups,dc=jangunnar,dc=kreativsone,dc=no?one
> ssl off
I tried commenting out the pam_groupdn and pam_member_attributes with no success. I was hoping to restrict login to to the group "lagring", but it didn't seem to work.
/etc/pam.d/sshd:
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> auth sufficient /usr/local/lib/pam_ldap.so no_warn
> auth required pam_unix.so no_warn try_first_pass
>
> # account
> account required pam_nologin.so
> account required pam_login_access.so
> account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
> account required pam_unix.so
>
> # session
> session required pam_permit.so
>
> # password
> password required pam_unix.so no_warn try_first_pass
/etc/pam.d/netatalk
> auth sufficient /usr/local/lib/pam_ldap.so no_warn
> auth include system
> account include system
> password include system
> session include system
> account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
I really need to get this working again. Any help is highly appreciated. Please ask if you need more information. Thanks!
Best regards,
Aleksander Steffensen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJN3j4xAAoJELxlbnDhBkKI7jEIAJqUquhmHVO4IDiTBXRERTIR
qjv1zsWpUg1d/gps222hKxypN6NqIWDhSvZmRu2BWTgPek6nKjxOmlui4ZsMhhKS
uU9jUDghQMijeXPNSxx6eUMb0b0FQ43UJaJQR/vK3ogpDq01SCAzYUAA5/N+vqME
VSG1YxZDcCV+lbIYWZF8/IJLPVqr0BEeUgWNvWXSLqRBlXebNmbGl5dbL3MCnI9D
JkLbpTeKcVjpaot6fgtkLt03Jk72l+MkpVbKABnb8fHOUBLXRkgHOC0VPIrSQ37X
iYwvGQsSs8iHTCRyMUtLuJHrN8o2qCxZ7zatp3Pj15UlSpGFDDZkvWY10WfCmjw=
=y51P
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list