# pam_ldap unable to log in via ssh (FreeBSD 8.0 / OpenLDAP)



## jetheis (Jul 27, 2010)

Hi all,

This is my first time using LDAP for authentication, and I can't seem to get it to allow login over ssh.

I've followed the directions laid out in this article:

http://www.freebsd.org/doc/en/articles/ldap-auth/index.html

and believe I have followed the steps correctly.

I've also taken a look at this thread:

http://forums.freebsd.org/showthread.php?t=10281

which outlines what seemed to be exactly the same problem I'm having, however the solution there didn't solve mine.

When a user tries to authenticate via ssh the following error message gets written:


```
sshd[46237]: pam_ldap: error trying to bind as user "cn=testuser+gidNumber=10002+homeDirectory=/+
sn=User+uid=testuser+uidNumber=10002,ou=users,ou=videodrome" (Invalid credentials)
```

I can provide the content of configuration files and command output as needed.

My *uname -a* info:

```
FreeBSD videodrome.gateway.2wire.net 8.0-RELEASE
FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009
root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
```

Thanks


----------



## SirDice (Jul 28, 2010)

"Invalid credentials" 

Are you sure the password is correct? Reset the LDAP password and try again.


----------



## jetheis (Jul 28, 2010)

I've set the password to a plain text one for the sake of testing this. Using Apache Directory Studio, I can successfully bind using these credentials, so I know they're not wrong.


----------



## Sephiroth (Aug 3, 2010)

I'm having a similar problem... I had pam_ldap working very well until I upgraded from 7.2 to 8.0, and now I am unable to login. Nothing has changed, all the passwords are the same, and I can bind with all the credentials using Apache Directory Studio. Now I get this:


```
Aug  3 16:52:40 login sshd[78909]: pam_ldap: error trying to bind as user "uid=charlie,ou=Users,dc=cwssoftware,dc=com" (Invalid credentials)
Aug  3 16:52:40 login sshd[78907]: error: PAM: authentication error for illegal user charlie from 192.168.13.100
```
Again, this used to perfectly configured, and my /usr/local/etc/ldap.conf (and nss_ldap.conf) are still identical to the old versions. I've rebuilt the pam_ldap port and all dependencies... no luck. Any ideas?


----------



## gilinko (Aug 4, 2010)

I don't use ADS but openldap for the same purpose, and in case of failures it will be more informative to have a look at the ldap error log or debug log for what the ldap server is doing while running the search. Remember that it should be allowed to search the tree first and then bind, not only bind directly. Essentially do an anonymous sub-search from your user base. So check your ACL's and as a starter "disable" them all together and you will notice if the error is generated by pam_ldap or restrictive ACL's


----------



## Sephiroth (Aug 4, 2010)

I figured out my problem, maybe this will help you. It wasn't in the pam_ldap configuration at all. I turned on debugging in /usr/local/etc/ldap.conf, and saw tons of entries like this:


```
Aug  4 20:55:00 login cron[29356]: NSSWITCH(_nsdispatch): ldap, group, endgrent, not found, and no fallback provided
```

Looking that up, I found another post about someone who had recently seen this error. It pointed to the nss_ldap library having problems. I ran:


```
ldd /usr/local/lib/nss_ldap.so.1
```

And I saw that my libsasl2 was not linked- it had an unknown dependency! I fixed it by installing the /security/cyrus-sasl2 port; maybe there's a broken dependency in there somewhere, but that fixed the problem for ldd, and then I was able to login again.


----------

