-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/10/2010, at 10:05 AM, Michel Talon wrote: > > Kevin Mai wrote: >> Logins over ssh and sudo work great with ldap, but when I try to log in >> from console, it prompts me twice for the password. >> >> If I put a wrong password it prints out that it cannot bind to the ldap >> server, what means that I'm being able to bind to ldap, but cannot login >> for some reason. > > Can you send a copy of your /etc/pam.d/sshd and /etc/pam.d/system ? What i think you have done is this auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn use_first_pass Notice the try_first_pass options on krb5 and ldap? This will prompt for the krb5 password then prompt again for the ldap password, and then fall back to unix. It looks like this when you enter the wrong password Password: LDAP Password: Password LDAP Password: etc .... In your case, you likely have something else, and not krb5, but editing your file to appear like this will be of great help auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn use_first_pass You need to set ldap to try_first_pass, and unix to use_first_pass. This will stop the "double prompting" Also of note, is that /etc/pam.d/login is an include of system. Thus likely you have your system file setup wrong. Mine is a carbon copy of my sshd file. Here it is here auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn use_first_pass #auth required pam_deny.so use_first_pass account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account optional pam_unix.so account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user # session #session optional pam_ssh.so session required pam_permit.so #account optional pam_krb5.so #session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 password sufficient pam_unix.so no_warn use_first_pass A few other hints Make sure your certificates have the correct CN, that matches your hosts FQDN. You can specifiy them with the option tls_cacertfile and these DO NOT need converting into any weird formats, just the standard output from openssl will work. @Michael If you plan to use LDAP groups to control access to be able to login to a server, you need to change your ldap account line, as at this time it will allow anyone through into the system. Regardless, what i have also means that ldap is not checked for non ldap users. Changing ldap passwords IS NOT POSSIBLE from the passwd binary. I cannot remember why but it is not. You must use the ldappasswd utility. Alot of basic help can be found here http://www.freebsd.org/doc/en/articles/ldap-auth/ldap.html Sincerely, William Brown pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMrQkTAAoJEHF16AnLoz6JjmAP/2AnyWUT1EwoyAm8gAH6Qjoq WC0dSHnfuYzJiw8UM3Uhzdj4LXPNLFh/bqHsgFpDxO1OwyG8OnTv40NdR9506O7e BP0SmnADt9a8beLHM54jOfJsYHz0kH1bpHk4HkcA5zQEsl76H7IsF6m6tiFxTSII WLrXwHTN+Z6zpo80N7Ng9GGVCxrs68gU/JQFX58lIIkSlXe2kJ7W8DAcs2q2O13x 5VPl9x2bEYugRwggDLAWwD22ETL6BAjk+qr2+yG8yLKgsg/NTyPoBkdVhHCgOBw2 vt8IGxVeeau3MLvrm/c2+dK7i2Aw9FlB94EBZo5G2QM5AfzmTqtiLAeQ8sM2tQkD suqPijBB6aLmrnpbqjQxPgKQANv1szELBASC4qcCKHQFNeGtfueikRpgnVaGLrnq LMOEKpnnuJQ7OrW3TmY6vZFrnKm1QD1cniuJV2Hhb3FZ8JTTq/L2Ae9NHaPKlR3F 7pXcTTTo4hXUe9h9McSv7fUPbTFC9KU/ntc9XQDS+5TLyyMsN1tuaY506v3kTGWh wdczKBhrSLcwjvh3DUjrutaYg+oYQWOpNvzSOUAQgmLURZcb7zr0q6lstlzHzsZp 4z5jDn6sGUNHCZzzf/eRZjtR3bikQsBrfKgmuHGBVNjwpIzwAus1m1B4XeQ3lhTX xErK6nRRH75mS3igwcMa =qIai -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
