# LDAP Server cannot login



## dd711 (Jan 21, 2014)

Hi,

i have a problem with my FreeBSD 9.2 Configuration and LDAP.

I want to login with an account from my LDAP directory, but the System gets an error after password authentication.

here the line from /var/log/auth.log

```
Jan 21 20:18:29  login: pam_acct_mgmt(): error in service module
```

and here my configuration files:


```
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/9.2.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: cache files ldap [NOTFOUND=return]
passwd: cache files ldap [NOTFOUND=return]
 
group_compat: nis
hosts: files dns
networks: files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```


```
#/etc/pam.d/system
# $FreeBSD: release/9.2.0/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
auth		 required	pam_unix.so		no_warn try_first_pass nullok

# account
account		required	/usr/local/lib/pam_ldap.so	ignore_unknown_user ignore_authinfo_unavail	
account		required	pam_login_access.so
account		required	pam_unix.so

# session
session		required	/usr/local/lib/pam_mkhomedir.so
session		required	pam_lastlog.so		no_fail

# password
password	required	pam_unix.so		no_warn try_first_pass
```


```
#/etc/pam.d/login
# $FreeBSD: release/9.2.0/etc/pam.d/login 170510 2007-06-10 18:57:20Z yar $
#
# PAM configuration for the "login" service
#

# auth
auth		sufficient	pam_self.so		no_warn
auth		include		system

# account
account		requisite	pam_securetty.so
account		required	pam_nologin.so
account		include		system

# session
session		include		system

# password
password	        include		system
```


```
#/etc/pam.d/passwd
# $FreeBSD: release/9.2.0/etc/pam.d/passwd 113967 2003-04-24 12:22:42Z des $
#
# PAM configuration for the "passwd" service
#

# passwd(1) does not use the auth, account or session services.

# password
password 	required	/usr/local/lib/pam_ldap.so
password	required	pam_unix.so		no_warn try_first_pass nullok
```


```
root@:/usr/local/etc # ls -l nss_ldap.conf
lrwxr-xr-x  1 root  wheel  9 Jan 20 16:01 nss_ldap.conf -> ldap.conf
```


```
#/usr/local/etc/ldap.conf
BASE ou=inform,ou=f4,ou=studium,dc=fh-h,dc=de
URI ldap://<correct ip adress>
ldap_version 3

binddn cn=i-proxyuser,ou=funktionen,ou=inform,ou=f4,ou=studium,dc=fh-h,dc=de
bindpw secret

pam_login_attribute uid
scope sub
```


```
# /usr/local/etc/openldap/ldap.conf
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE ou=inform,ou=f4,ou=studium,dc=fh-h,dc=de
URI ldap://<correct ip adress>

binddn cn=i-proxyuser,ou=funktionen,ou=inform,ou=f4,ou=studium,dc=fh-h,dc=de
bindpw secret

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		 never
```

does someone know what to do?
thanks.


----------



## dpejesh (Jan 21, 2014)

It's been awhile since I had to go through these hoops and I've since automated it in cfengine, but comparing what you have to how my machines get setup.



			
				dd711 said:
			
		

> ```
> group: cache files ldap [NOTFOUND=return]
> passwd: cache files ldap [NOTFOUND=return]
> ```




```
group: files cache ldap
passwd: files cache ldap
```

http://lists.freebsd.org/pipermail/freebsd-current/2012-February/031596.html



> ```
> #/etc/pam.d/system
> # auth
> auth		sufficient	pam_opie.so		no_warn no_fake_prompts
> ...



This looks right.



> ```
> #/etc/pam.d/system
> # account
> account		required	/usr/local/lib/pam_ldap.so	ignore_unknown_user ignore_authinfo_unavail
> ...




```
#/etc/pam.d/system
# account
account		required	pam_login_access.so
account		required	/usr/local/lib/pam_ldap.so	ignore_unknown_user ignore_authinfo_unavail	
account		required	pam_unix.so
```

Move your pam_ldap line down below pam_login_access.



> ```
> #/etc/pam.d/system
> # password
> password	required	pam_unix.so		no_warn try_first_pass
> ```




```
#/etc/pam.d/system
# password
password	required	/usr/local/lib/pam_ldap.so	use_authok
password	required	pam_unix.so		no_warn try_first_pass
```

Add pam_ldap.so.



> ```
> #/etc/pam.d/passwd
> password 	required	/usr/local/lib/pam_ldap.so
> password	required	pam_unix.so		no_warn try_first_pass nullok
> ```




```
#/etc/pam.d/passwd
password	required	pam_unix.so		no_warn try_first_pass nullok
```

I didn't have to insert pam_ldap.so in /etc/pam.d/passwd.



> ```
> root@:/usr/local/etc # ls -l nss_ldap.conf
> lrwxr-xr-x  1 root  wheel  9 Jan 20 16:01 nss_ldap.conf -> ldap.conf
> ```



I'm guessing you're using pam_ldap/nss_ldap.   You might also have to link pam_ldap.conf to ldap.conf too.  I'd recommend using nss-pam-ldapd instead though.  It started as a fork of nss_ldap and pam_ldap, and is actively maintained.



> ```
> #/usr/local/etc/ldap.conf
> BASE ou=inform,ou=f4,ou=studium,dc=fh-h,dc=de
> URI ldap://<correct ip adress>
> ...



I don't think you need /usr/local/etc/ldap.conf, I'm not using it.  I have everything in /usr/local/etc/openldap/ldap.conf.  If I remember right, it's only used for openldap commands anyway (ldapsearch, ldapadd, etc) and doesn't play a role in nslcd or pam (if you use nss-pam-ldap that is).  I could be wrong though, it's been awhile.

If you decide to try to use nss-pam-ldapd, here's my /usr/local/etc/nslcd.conf for it.


```
uid nslcd
gid nslcd

uri ldaps://<ldap host>/
base <base dn>
binddn <bind dn>
bindpw <bind pw>
bind_timelimit 15
idle_timelimit 300
timelimit 15
nss_initgroups_ignoreusers root
```

I also had to update /etc/pam.d/sshd.


```
# /etc/pam.d/sshd
# $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass minimum_uid=1000
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user minimum_uid=1000
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so umask=0022 skel=/usr/local/share/skel

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password required /usr/local/lib/pam_ldap.so use_authok minimum_uid=1000
password        required        pam_unix.so             no_warn try_first_pass
```

You can remove the pam_mkhomedir.so line.  I left it in to show you where to place it if you do decide to use it.

Hope this helps.


----------



## dd711 (Jan 22, 2014)

thanks.
i tried it with your configuration, but same error occured.

now i have deinstalled the nss_ldap and pam_ldap packages and installed nss-pam-ldap.
i modified the nslcd.conf and now the login is working

thanks.


----------

