The OpenLDAP server is at the momen a FreeBSD 7.2 box running most
recent OpenLDAP from ports. The follwoing is also true for each OpenLDAP
2.4.16 I've running on most recent FreeBSD 8.0-CURRENT boxes.
I can't login via ssh anymore! For first circumvention of the problem I
installed local users, so I can login via them.
Here what I can and what not:
I can enumerate each user in the OpenLDAP DIT via id I wish
I can use the OpenLDAP server to login on a samba share
I can 'su' to users having their account stuff in the OpenLDAP DIT
Whenever I (or any other user) try to login to a host which does
PAMyfied authentication to LDAP servers (whihc worked weeks ago
perfectly), I (or he) gets this:
sshd[1414]: fatal: login_get_lastlog: Cannot find account for uid 1000
Loggin the console messages on the server shows this:
sshd[482]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[482]: fatal: login_get_lastlog: Cannot find account for uid 1000
I tried to reconfigure /etc/ssh/sshd_config on the host side, restored
it with a version that worked long before and then tried to reconfigure
it by scratch, beginning from default. No success.
Due to the fact other services can autheticate without problems via
LDAP, this must have to do with SSH and/or the way it is implemented in
FreeBSD.
Please help.
Regards,
Oliver
I've just installed a fresh machine with FreeBSD 7.2 amd64 and OpenLDAP
2.4.latest and it works. The only difference might be that I'm using nscd.
Have you modified /etc/pam.d files?
I had a problem with nss_ldap and openldap over ssl. This patch fixed it:
http://www.freebsd.org/cgi/query-pr.cgi?pr=133501&cat=ports
Ruben
Actually, bug reports against threading library in 7.0/7.1 should
be rechecked against upcoming 7.2, since libthr got a complete sync
with HEAD. In particular, several issues were fixed that are related
to fork and threads interaction.
If the issue is still present in 7.2, then the best way to start some
progress is to get isolated failing test case for libthr.
I change the order of look-for-targets in /etc/nsswitch.conf:
previously not working and triggering issues I reported:
group: files ldap
passwd: files ldap
working after exchanging order:
group: ldap files
passwd: ldap files
This is weird! After I changed that, the first attempt issuing the
passowrd now takes 20 seconds to respond even for local users, if I hit
return for the first passwd-attempt and issuing the passd on second
attempt runs immediately towards expected login.
Intention of having first files looked up was: sometimes LDAP is dead or
we make tests and can not reach LDAP, so we need to login via local
stored users. Having first LDAP consulted makes a login a desaster:
after a minute some boxes cancel login attempt caused by timeout. That's
fun.
Even with
passwd: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]
group: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]
it fails. There is something wrong, not specifically with 7.2.
Oliver