# LDAP authentication fails for users not in /etc/passwd



## dennyp (Oct 26, 2011)

Hi guys,

Relatively new to FreeBSD.  I'm trying to authenticate users logging in via SSH against Active Directory using pam_ldap.  It works fine when the user is in /etc/passwd, but authentication fails for users that are not.  A packet trace reveals the password sent to LDAP in the bindRequest is 08:0a:0d:7f:49:4e:43:4f:52:52:45:43:54 in hex or "....INCORRECT" in ASCII - hence the failure.

I've followed the LDAP configuration instructions at http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html.  I'm sure it's something obvious but endless searches have not turned up anything for me.  Here's my /etc/pam.d/sshd for reference.


```
# auth
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user

# session
session         required        pam_permit.so

# password
password        required        pam_unix.so             no_warn try_first_pass
```

Thanks
Denny


----------



## SirDice (Oct 26, 2011)

Make sure you also modify /etc/nsswitch.conf.


----------



## dennyp (Oct 27, 2011)

nsswitch.conf looks okay to me.  I've tried reversing the order of 'files ldap' to no avail


```
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

Here's an excerpt from /var/log/messages following a login attempt.  Is there a way to increase the debug level?  debug 9 in /usr/local/etc/ldap.conf seemed to have no effect.


```
Oct 27 09:21:47 ciw-ns1 sshd[13289]: pam_ldap: error trying to bind as user "CN=Test User,OU=Users,DC=vmmodel,DC=local" (Invalid credentials)
Oct 27 09:21:47 ciw-ns1 sshd[13287]: error: PAM: authentication error for illegal user testuser from 10.1.2.3
```


----------



## kace (May 15, 2013)

Hi, I find myself in the exact same situation.  Trying to use an A.D. LDAP server for authentication for users in FreeBSD.  If the user is in the local /etc/passwd all is well. If not, user is called "illegal" and credentials are called invalid.  A log excerpt:


```
Apr 11 11:21:22 box sshd[34835]: pam_ldap: error trying to bind as user "CN=Schlub Jones,OU=Users,OU=Admin Users,OU=Users and Computers,OU=Springfield NOC,OU=CCI,DC=CORP,DC=EXAMPLE,DC=com" (Invalid credentials)
Apr 11 11:21:22 box sshd[34830]: error: PAM: authentication error for illegal user schlub from otherbox
Apr 11 11:21:22 box sshd[34830]: Failed keyboard-interactive/pam for invalid user schlub from 172.17.1.1 port 52407 ssh2
```

I tried nss_switch.conf, too, with no luck. Is there a way (outside of logging in) to verify that nss_switch/LDAP is working correctly?

Has anyone solved this particular issue?  Has anyone else run into it? Thanks for any thoughts.


----------



## melco (Oct 17, 2013)

If you ever face the same kind of issue with INCORRECT sent to LDAP instead of a/the password:

 Check nss_ldap (`getent passwd user`, `id user`, etc.).
 Make sure that user shell specified for user in LDAP is available on client system (/etc/shells).
The second took me three days to figure out! All *L*inux systems work like a charm with /bin/bash but in FreeBSD we have /usr/local/bin/bash. So `ln -s /usr/local/bin/bash /bin/bash` and adding it to /etc/shells fixed this problem for me.


----------



## davethenerd (Mar 24, 2014)

*Re:*



			
				melco said:
			
		

> If you ever face the same kind of issue with INCORRECT sent to LDAP instead of a/the password:
> 
> Check nss_ldap (`getent passwd user`, `id user`, etc.).
> Make sure that user shell specified for user in LDAP is available on client system (/etc/shells).
> The second took me three days to figure out! All *L*inux systems work like a charm with /bin/bash but in FreeBSD we have /usr/local/bin/bash. So `ln -s /usr/local/bin/bash /bin/bash` and adding it to /etc/shells fixed this problem for me.


Registered to say "thank you" for this.


----------



## user222 (Oct 5, 2014)

^ Another thank you for saving me 3 days.  :beer


----------

