# LDAP authentication



## nORKy (Apr 12, 2013)

HI,

I read the freebsd FreeBSD handbook about LDAP authentication. But there is a problem when I connect with SSH:

```
pam_ldap: error trying to bind as user "uid=usertest,ou=users,dc=mylocal" (Invalid credentials)
```

I don't known where to search. The authentication works with a classic LDAP client (ldapsearch for example). *A*ny idea?


----------



## SirDice (Apr 12, 2013)

It's probably something in /etc/pam.d/sshd that's not correctly set up.


----------



## nORKy (Apr 12, 2013)

I don't see:

```
# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
account		required	pam_nologin.so
#account	required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so
account		required	/usr/local/lib/pam_ldap.so	no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
```


----------



## kpa (Apr 12, 2013)

What's in your /usr/local/etc/ldap.conf?


----------



## nORKy (Apr 12, 2013)

```
host myhost

BASE dc=mylocal
URI ldap://myhost/
SSL start_tls
tls_cacert /usr/local/certs/root.crt

bind_policy soft

pam_filter objectclass=posixAccount
pam_login_attribute uid
```


----------



## nORKy (Apr 12, 2013)

And my full LDIF:


```
# extended LDIF
#
# LDAPv3
# base <dc=mylocal> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# mylocal
dn: dc=mylocal
objectClass: top
objectClass: dcObject
objectClass: organization
dc: mylocal
o: mylocalOrg

# groups, mylocal
dn: ou=groups,dc=mylocal
objectClass: top
objectClass: organizationalUnit
ou: groups

# user, groups, mylocal
dn: cn=user,ou=groups,dc=mylocal
objectClass: posixGroup
objectClass: top
gidNumber: 10000
cn: user

# users, mylocal
dn: ou=users,dc=mylocal
objectClass: top
objectClass: organizationalUnit
ou: users

# usertest, users, mylocal
dn: uid=usertest,ou=users,dc=mylocal
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 10000
homeDirectory: /u/usertest
loginShell: /bin/tcsh
uid: usertest
cn: usertest
sn: usertest
```


----------



## nORKy (Apr 15, 2013)

Hi,

All is OK when I remove all TLS options in server and clients. I don't understand why[red]*.*[/red]


----------



## kpa (Apr 15, 2013)

See what happens when you use the -Z and -ZZ options with ldapsearch(1).


----------



## nORKy (Apr 15, 2013)

Nothing happend. I have my search result.


----------



## kpa (Apr 15, 2013)

Check what differences there are between /usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf. The first one is used by the PAM LDAP plugin (the name is configurable I think) and the second one is used by ldapsearch(1).


----------

