I need to get our freebsd FreeBSD servers to authenticate via AD, but it is giving me problems.
Environment: AD backend (Win 2k8r2). This works with Debian hosts which authenticate via SSSD, FreeBSD 9.1 for client servers.
I have configured everything I can think of, and I think it is correct, but when I try to log in with an AD account, it fails with:
So I know it is getting past the initial bind, as the DN it is bringing back is correct and has come from the AD server. When it then tries to bind with that DN it can't, which causes the authentication to fail. I have tested the test user's credentials on the AD server, using ldapsearch and even set it as the default bind DN in ldap.conf and it works for all tests.
I cannot for the life of me figure out why the initial bind works, but then the user's bind fails.
For reference, here are my config files:
/usr/local/etc/ldap.conf
/usr/local/etc/openldap/ldap.conf
/etc/pam.d/sshd
Environment: AD backend (Win 2k8r2). This works with Debian hosts which authenticate via SSSD, FreeBSD 9.1 for client servers.
I have configured everything I can think of, and I think it is correct, but when I try to log in with an AD account, it fails with:
Code:
pam_ldap: error trying to bind as user "CN=testuser,CN=Users,DC=example,DC=com" (Invalid credentials)So I know it is getting past the initial bind, as the DN it is bringing back is correct and has come from the AD server. When it then tries to bind with that DN it can't, which causes the authentication to fail. I have tested the test user's credentials on the AD server, using ldapsearch and even set it as the default bind DN in ldap.conf and it works for all tests.
I cannot for the life of me figure out why the initial bind works, but then the user's bind fails.
For reference, here are my config files:
/usr/local/etc/ldap.conf
Code:
pam_login_attribute uid
base dc=example,dc=com
uri ldap://xxx.xxx.xxx.xxx/
ssl no
binddn CN=ro_user,CN=Users,DC=example,DC=com
bindpw somerandompw/usr/local/etc/openldap/ldap.conf
Code:
pam_login_attribute uid
base dc=example,dc=com
uri ldap://xxx.xxx.xxx.xxx/
ssl no/etc/pam.d/sshd
Code:
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn debug
auth required pam_unix.so no_warn try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
session required pam_permit.so
password required pam_unix.so no_warn try_first_pass