# LDAP authenticate broken on 10.2



## Oko (Aug 25, 2015)

I need LDAP authentication on one of my file servers which is just updated to 10.2. I waisted solid 4 hours to try to troubleshoot why authentication which works on FreeNAS and worked earlier doesn't work.

Edited files and directories:

OpenLDAP client configuration:

/usr/local/etc/openldap/certs
/usr/local/etc/openldap/ldap.conf

pam_ldap configuration:

/usr/local/etc/ldap.conf

nss_ldap configuration:

/usr/local/etc/nss_ldap.conf (which looks identical to /usr/local/etc/ldap.conf)

/etc/pam.d/sshd configuraton


```
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session                optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

/etc/nsswitch.conf 


```
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```


/etc/ssh/sshd_config

```
ChallengeResponseAuthentication yes
UsePAM yes
```

I restarted nsswitch and sshd daemons. I have no problem getting results from

`ldapsearch`

`id`

and

`getent group`

work as expected. When I try to ssh with an LDAP account


```
predrag@lop1$ ssh predrag@uranus
Connection closed by 192.168.6.3
```

To makes matter worse even the login with  local administrative account both password and passwordless stopped working.

Any clues?


----------



## Crest (Aug 27, 2015)

Which NSS and PAM module are you using? Is nslcd running?


----------



## Oko (Aug 28, 2015)

Crest said:


> Which NSS and PAM module are you using? Is nslcd running?


Such daemon doesn't exist on FreeBSD. FreeBSD has `nscd` daemon but I don't see anywhere mentioned in the official documentation. 

https://www.freebsd.org/doc/en/articles/ldap-auth/client.html


----------



## Crest (Aug 28, 2015)

It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface.


----------



## Oko (Aug 28, 2015)

Crest said:


> It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface.


Thanks for the info! However I am deeply disturbed that I am learning about above issues from a forum rather than from the official documentation. Where are those things documented?


----------

