Hi list,
I tried to follow http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html all the way through on a pretty clean server.
I think it seemed to work until I tried to configure the LDAP server for samba too. But I'm not sure. The database I configured and can be accessed by e.g. phpldapadmin.
When I try to log in through SSH as tuser, nothing is logged in /var/log/slapd.log. On the other hand, /var/log/auth.log shows:
I figure the following configuration files are the most essential:
I tried to follow http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html all the way through on a pretty clean server.
I think it seemed to work until I tried to configure the LDAP server for samba too. But I'm not sure. The database I configured and can be accessed by e.g. phpldapadmin.
When I try to log in through SSH as tuser, nothing is logged in /var/log/slapd.log. On the other hand, /var/log/auth.log shows:
Code:
Connection from 192.168.1.31 port 48874
Apr 1 20:38:42 myserver sshd[2448]: Invalid user tuser from 192.168.1.31
Apr 1 20:38:42 myserver sshd[2450]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr 1 20:38:54 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr 1 20:38:54 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
Apr 1 20:38:54 myserver sshd[2451]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr 1 20:38:58 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr 1 20:38:58 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
Apr 1 20:38:58 myserver sshd[2452]: in openpam_dispatch(): pam_nologin.so: no pam_sm_authenticate()
Apr 1 20:39:00 myserver sshd[2448]: error: PAM: authentication error for illegal user tuser from ldap.mfl.dk
Apr 1 20:39:00 myserver sshd[2448]: Failed keyboard-interactive/pam for invalid user tuser from 192.168.1.31 port 48874 ssh2
Code:
/usr/local/etc/openldap/slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#loglevel 8
logfile /var/log/slapd.log
#loglevel 256
loglevel 512
security ssf=128
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-server-one.key
TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt
#TLSVerifyClient demand
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to dn.subtree="ou=People,dc=example,dc=com"
attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
access to dn.subtree="ou=People,dc=example,dc=com"
attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=homeDirectory,uidNumber,gidNumber
by * read
access to *
by self write
by * read
allow bind_v2 bind_anon_cred bind_anon_dn update_anon
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix dc=example,dc=com
rootdn cn=Manager,dc=example,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}verysecret
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Code:
/usr/local/etc/openldap/ldap.conf:
BASE dc=example,dc=com
URI ldap://ldap.example.com
SSL START_TLS
TLS_CACERT /usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT never
#PAM_LOGIN_ATTRIBUTE uid
#NSS_INITGROUPS_IGNOREUSERS root,ldap
Code:
/usr/local/etc/ldap.conf:
BASE dc=example,dc=com
URI ldap://ldap.example.com
SSL START_TLS
TLS_CACERT /usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT never
#PAM_LOGIN_ATTRIBUTE uid
#NSS_INITGROUPS_IGNOREUSERS root,ldap
Code:
/usr/local/nss_ldap.conf:
BASE dc=example,dc=com
URI ldap://ldap.example.com
SSL START_TLS
TLS_CACERT /usr/local/etc/openldap/ssl/ldap-server-one.crt
TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt
TLS_REQCERT never
PAM_LOGIN_ATTRIBUTE uid
#NSS_INITGROUPS_IGNOREUSERS root,ldap
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_passwd ou=Computers,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=Groups,dc=example,dc=com?one
Code:
/etc/pam.d/sshd:
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
# session
session required pam_permit.so
# password
password required pam_unix.so no_warn try_first_pass
Code:
/etc/ssh/sshd_config:
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
RSAAuthentication no
#PubkeyAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication no
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PermitEmptyPasswords no
GatewayPorts no
AllowTcpForwarding yes
KeepAlive yes
Protocol 2
UsePrivilegeSeparation yes
LogLevel DEBUG
X11Forwarding no
SyslogFacility AUTH
ListenAddress 0.0.0.0