LDAP authenticate broken on 10.2

Oko

Oko

I need LDAP authentication on one of my file servers which is just updated to 10.2. I waisted solid 4 hours to try to troubleshoot why authentication which works on FreeNAS and worked earlier doesn't work.

Edited files and directories:

OpenLDAP client configuration:

/usr/local/etc/openldap/certs
/usr/local/etc/openldap/ldap.conf

pam_ldap configuration:

/usr/local/etc/ldap.conf

nss_ldap configuration:

/usr/local/etc/nss_ldap.conf (which looks identical to /usr/local/etc/ldap.conf)

/etc/pam.d/sshd configuraton

Code: 
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session                optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

/etc/nsswitch.conf

Code: 
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files


/etc/ssh/sshd_config
Code: 
ChallengeResponseAuthentication yes
UsePAM yes

I restarted nsswitch and sshd daemons. I have no problem getting results from

ldapsearch

id

and

getent group

work as expected. When I try to ssh with an LDAP account

Code: 
predrag@lop1$ ssh predrag@uranus
Connection closed by 192.168.6.3

To makes matter worse even the login with local administrative account both password and passwordless stopped working.

Any clues?
 
It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface.
 
Last edited by a moderator:
  • Thanks
Reactions: Oko
Crest said:
It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface.
Click to expand...
Thanks for the info! However I am deeply disturbed that I am learning about above issues from a forum rather than from the official documentation. Where are those things documented?
 
You must log in or register to reply here.
Back
Top