# FreeBSD 8 with OpenLdap-2.4/pam_ldap, unable to login



## dvdmandt (Jan 13, 2010)

Hi everyone, I'm trying to setup ldap authentication on a new FreeBSD 8 installation. This it for local and or lan authentication only, so I don't need nor want SSL/TLS.

I have a working ldap server (slapd) already. I can connect to it using the rootdn or a user in the database (ldapvi, ldapsearch and ldapadmin work). I can't, however, get pam_ldap working. 

It doesn't seem to find the users. What might cause this? How do I debug the issue? Here's what I did and what I know:

I'm trying to login using SSH. I've changed /etc/ssh/sshd_config to use PAM, and pam.d/sshd to use pam_ldap.so as well. 

When starting slapd, I get an error from nss_ldap saying the server is unavailable.

When I try to login, sshd says "authentication failed for invalid user .." which in my understanding means it's unable to find the user..? 

Any ideas?


----------



## SirDice (Jan 13, 2010)

http://www.freebsd.org/doc/en/articles/ldap-auth/index.html


----------



## dvdmandt (Jan 13, 2010)

That's what I followed to get this far. That article does however seem to leave out various bits and is somewhat vague on some other points. For example, it says nss_ldap and pam_ldap uses the same configuration file and therefore nss_ldap will already be configured which does not seem to be the case unless you symlink one to the other.

I've also read and tried other guides/articles with no luck.


----------



## malexe (Jan 15, 2010)

Please provide the content of 
/etc/nsswitch.conf
/usr/local/etc/ldap.conf
/usr/local/etc/nss_ldap.conf
/etc/pam.d/sshd


----------



## fuhdan (Feb 17, 2010)

Hi all
I have the same problem. Here my configs:

*/etc/nsswitch.conf:*

```
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
#group: compat
group: files ldap
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

*/usr/local/etc/ldap.conf:*

```
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

base dc=voip-noc,dc=com
uri ldap://oss-beb-dx-d-12-ngs/
ssl start_tls
tls_cacert /usr/local/etc/openldap/cert/cacert.crt
pam_login_attribute uid
```

*/usr/local/etc/nss_ldap.conf:*

```
base dc=voip-noc,dc=com
uri ldap://oss-beb-dx-d-12-ngs/
ssl start_tls
tls_cacert /usr/local/etc/openldap/cert/cacert.crt
pam_login_attribute uid
```

*/etc/pam.d/sshd*

```
# $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass
auth            sufficient      pam_ldap.so             no_warn

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
account         required        pam_ldap.so             no_warn ignore_authinfo_unavail ignore_unknown_user

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

*finger tgdfuda2*

```
Login: tgdfuda2       			Name: Daniel Fuhrer
Directory: /home/tgdfuda2           	Shell: /bin/csh
Never logged in.
No Mail.
No Plan.
```

*Login test:*

```
ssh -l tgdfuda2 192.168.1.248
Password:
LDAP Password: 
Password:
LDAP Password: 
Password:
LDAP Password: 
Permission denied (publickey,keyboard-interactive).
```

*The message log:*

```
Feb 17 17:28:17 oss-beb-dx-d-13-ngs sshd[11569]: error: PAM: authentication error for tgdfuda2 from 192.168.1.2
Feb 17 17:28:22 oss-beb-dx-d-13-ngs sshd[11572]: pam_ldap: error trying to bind as user "uid=tgdfuda2,ou=people,dc=voip-noc,dc=com" (Invalid credentials)
Feb 17 17:28:22 oss-beb-dx-d-13-ngs sshd[11569]: error: PAM: authentication error for tgdfuda2 from 192.168.1.2
Feb 17 17:28:27 oss-beb-dx-d-13-ngs sshd[11569]: error: PAM: authentication error for tgdfuda2 from 192.168.1.2
```

Thanks for your help.


----------



## SirDice (Feb 17, 2010)

Make sure there's no local user named tgdfuda2.


----------



## fuhdan (Feb 17, 2010)

There is no local user tgdfuda2
*getent passwd*

```
root:$1$koa.b0lj$MfTDkcmsSw3S3kPOYAdJm0:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
ldap:*:389:389:OpenLDAP Server:/nonexistent:/sbin/nologin
[color="SeaGreen"]tgdfuda2:*:10000:10000:Daniel Fuhrer:/home/tgdfuda2:/bin/csh
tgdhera5:*:10001:10000:Raphael Herren:/home/tgdhera5:/bin/csh
tgdloch3:*:10002:10002:Christian Lochmatter:/home/tgdloch3:/bin/csh
[/color]
```


----------



## fuhdan (Feb 21, 2010)

Hi all
I'm still not able to login by ssh. 
From the rootaccount, I can change the user to an ldap user. So the user seems to be OK. It looks like there is a problem with the passwordencryption between the password stored in LDAP and the pam, which checks the password.
Can anybody help me? has somone openldap running on freebsd 8.0?


----------



## gilinko (Feb 21, 2010)

You need to flip the pam_unix.so and pam_ldap.so lines in /etc/pam.d/sshd for both the auth line and account line, and make the pam_ldap.so _sufficient_ insted of _required_.

As it is now, it will first try pam_unix.so and fail for users only in ldap, and then move on to try pam_ldap.so. But because of the _required_ on the pam_unix.so if it fails it doesn't matter what pam_ldap.so responds with as the query will ultimately fail anyway.

Have a read through on this freebsd article on PAM and the difference between required, sufficient etc.


----------



## fuhdan (Feb 21, 2010)

It works. Thanks a lot for you help.


----------



## fuhdan (Feb 22, 2010)

I have just an other question. How should I build up my LDAP?
I have the following requirements:
I'm an ISP. I have several Boxes (Webserver) at the customer locations. Now the customer needs access to some of the websites, but no login to the command line.
How can I do that?


```
example.com
  |
  |-> Company 1
  |              |
  |              |-> Peopple
  |              |-> Hosts
  |              |-> Group
  |
  |-> Company 2
  |              |
  |              |-> Peopple
  |              |-> Hosts
  |              |-> Group
  |
  |-> Company 3
                 |
                 |-> Peopple
                 |-> Hosts
                 |-> Group
```


Or ist it better to manage tha access over groups like?


```
example.com
  |
  |-> People
  |            |-> user_isp1
  |            |-> user_isp2
  |            |-> user1_company1
  |            |-> user2_company1
  |            |-> user1_company2
  |            |-> user2_company2
  |
  |-> Group
  |          |-> group_isp
  |          |-> group_company1
  |          |-> group_company2
  |          |-> group_company3
  |
  |-> Host
           |-> host1_company1
           |-> host2_company1
           |-> host1_company2
           |-> host2_company2
```


How can I restrict a User to have access to http://server1/website1 but no access to http://server1/website2? How can I prevent some users to have access to the command line (somthing like nologin)?

Thanks for your advice.


----------



## gilinko (Feb 22, 2010)

First of all, you should start a new thread when asking new questions.

Use different ldap databases for each customer. IE your first setup, but with different root DN's


```
dc=example1,dc=com
-> ou=Users
-> ou=Groups

dc=example2,dc=com
-> ou=Users
-> ou=Groups
```

If you need one user to be able to gain access on multiple servers add that user as a RDN link to a "master" user database. But before you do that, I would strongly suggest that you read up on and understand what you are doing the ldap database.

As for access to specific directories on the same server, it all depends on how they are accessed. ftp, dav, ssh, nfs, samba etc.


----------

