# PAM_LDAP Authentication failure with correct credentials



## sir_dirnxalot (Feb 26, 2013)

I need to get our freebsd FreeBSD servers to authenticate via AD, but it is giving me problems.

Environment: AD backend (Win 2k8r2). This works with Debian hosts which authenticate via SSSD, FreeBSD 9.1 for client servers.

I have configured everything I can think of, and *I* think it is correct, but when I try to log in with an AD account, it fails with:


```
pam_ldap: error trying to bind as user "CN=testuser,CN=Users,DC=example,DC=com" (Invalid credentials)
```

So I know it is getting past the initial bind, as the DN it is bringing back is correct and has come from the AD server. When it then tries to bind with that DN it can't, which causes the authentication to fail. I have tested the test user's credentials on the AD server, using ldapsearch and even set it as the default bind DN in ldap.conf and it works for all tests.

I cannot for the life of me figure out why the initial bind works, but then the user's bind fails.

For reference, here are my config files:

/usr/local/etc/ldap.conf


```
pam_login_attribute uid
base dc=example,dc=com
uri ldap://xxx.xxx.xxx.xxx/
ssl no
binddn CN=ro_user,CN=Users,DC=example,DC=com
bindpw somerandompw
```

/usr/local/etc/openldap/ldap.conf


```
pam_login_attribute uid
base dc=example,dc=com
uri ldap://xxx.xxx.xxx.xxx/
ssl no
```

/etc/pam.d/sshd


```
auth        sufficient  pam_opie.so     no_warn no_fake_prompts
auth        requisite   pam_opieaccess.so   no_warn allow_local
auth        sufficient  /usr/local/lib/pam_ldap.so  no_warn debug
auth        required    pam_unix.so     no_warn try_first_pass

account     required    pam_nologin.so
account     required    pam_login_access.so
account     required    pam_unix.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user

session     required    pam_permit.so

password    required    pam_unix.so     no_warn try_first_pass
```


----------



## ondra_knezour (Feb 27, 2013)

CN=Users? I would expect OU=Users, but I don't know nothing about your schema.


----------



## johnblue (Feb 27, 2013)

I usually ignore the default CN's for Users and Computers since they are not OU's.  I noticed that you have not mentioned Kerberos .. perhaps you can glean some clues from here:

http://forums.freebsd.org/showthread.php?t=21554
http://www.whitneytechnologies.com/?p=119


----------



## sir_dirnxalot (Feb 28, 2013)

ondra_knezour said:
			
		

> CN=Users? I would expect OU=Users, but I don't know nothing about your schema.



CN=Users is correct for that particular user in the schema. It's only a proof of concept at the moment so when we build a live environment things will be more as you would expect.



			
				johnblue said:
			
		

> ... http://www.whitneytechnologies.com/?p=119 ...


I've tried that on another test host, and had more problems. I've also tried SSSD, and even after fixing a number of bugs with the version in the port (1.6) I still have issues. We have tried to compile SSSD 1.8 on a couple of FreeBSD systems too, with no luck. The Samba / Winbind approach is a last resort as we would like to avoid using Samba if we can. The other link you supplied looks promising though, so I will give that a go now and see where I get to.

Thanks for your help so far.


----------

