Re: [gentoo-user] Ldap authentication issues.
On 05/05/2010 02:02 AM, Indexer wrote: I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process. nice :) I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc? You have to allow that using ACLs in slapd.conf. In your first post they were: access to attrs=userPassword by dn=uid=william,ou=Admin,dc=chocolate,dc=lan write by anonymous auth by self write by * none access to * by self write by users read I think you should have at least this: access to dn.base= by * read So that anonymous can at least get to the root of your LDAP tree. This is important to some clients (especially SASL). And then I'd also open up read access to anonymous for everything else, or at least Users+Groups, as that is also the case with /etc/passwd. There is really no point in being more secretive than file permissions on /etc/passwd. access to * by * read or, more secure I think: access to ou=Group,dc=chocolate,dc=lan by dn.subtree=ou=Admin,dc=chocolate,dc=lan write by * read access to ou=Admin,dc=chocolate,dc=lan by dn.subtree=ou=Admin,dc=chocolate,dc=lan write by * read access to ou=Users,dc=chocolate,dc=lan by dn.subtree=ou=Admin,dc=chocolate,dc=lan write by * read I'm not 100% sure with the by dn.subtree=... though I think that should work ($ man slapd.access). Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Ldap authentication issues.
On 05/03/2010 02:37 PM, Indexer wrote: On 03/05/2010, at 9:41 PM, Ward Poelmans wrote: On Mon, May 3, 2010 at 09:41, Indexer inde...@internode.on.net wrote: I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 What does you ssh file in /etc/pam.d look like? # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so #accountrequired/usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass Ward I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings. Can the user login from a console? And what about su - william from a non-root account? (From a root-account it should work without problems.) Daniel
Re: [gentoo-user] Ldap authentication issues.
I have solved this issue late last night. I took my inspiration from fedora, who has a really nice automatic tool for adding ldap servers, and i looked at their changes. The issue was that pam_unix was set as required, not sufficient / optional. I also found that in fedora they do includes in their pam, and my setup did not have it so you need to modify the correct module for the system, you are using. Find below my corrected pam config, and i will do a write up of this process. I have also found that when the user logs in it takes a long tine for commands to execute, and in this time it sends alot of requests to the slapd server, using anonymous binds. Any idea how i make anonymous binds return attrs such as groupUid etc? On 05/05/2010, at 7:00 AM, Daniel Troeder wrote: # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth sufficientpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account sufficientpam_unix.so accountsufficient/usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #sessionoptionalpam_ssh.so session requiredpam_permit.so session optional /usr/local/lib/pam_ldap.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordsufficientpam_unix.so no_warn try_first_pass passwordsufficient /usr/lib/local/pam_ldap.so
[gentoo-user] Ldap authentication issues.
I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 I can succesfully search the ldap with this user binding to the ldap ldapsearch -x -D uid=william,ou=Admin,dc=chocolate,dc=lan -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=chocolate,dc=lan (default) with scope subtree # filter: (uid=william) # requesting: ALL # # william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 1 gidNumber: 1 homeDirectory: /home/william userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= gecos: William Brown description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd when trying to authenticate shows this. /usr/local/libexec/slapd -4 -d 256 slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) conn=0 op=0 BIND dn= method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base=ou=Nemo,ou=Group,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixGroup)) conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH base=ou=Marvin,ou=Group,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixGroup)) conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) conn=1 op=0 BIND dn= method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) conn=2 op=0 BIND dn= method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) conn=3 op=0 BIND dn= method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost) Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr no pam_member_attribute memberuid pam_password exop nss_reconnect_tries 4 # number
Re: [gentoo-user] Ldap authentication issues.
On 05/03/2010 09:41 AM, Indexer wrote: I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 I can succesfully search the ldap with this user binding to the ldap ldapsearch -x -D uid=william,ou=Admin,dc=chocolate,dc=lan -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=chocolate,dc=lan (default) with scope subtree # filter: (uid=william) # requesting: ALL # # william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 1 gidNumber: 1 homeDirectory: /home/william userPassword:: e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= gecos: William Brown description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd when trying to authenticate shows this. /usr/local/libexec/slapd -4 -d 256 slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629 (IP=0.0.0.0:389) conn=0 op=0 BIND dn= method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base=ou=Nemo,ou=Group,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixGroup)) conn=0 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH base=ou=Marvin,ou=Group,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixGroup)) conn=0 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475 (IP=0.0.0.0:389) conn=1 op=0 BIND dn= method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318 (IP=0.0.0.0:389) conn=2 op=0 BIND dn= method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485 (IP=0.0.0.0:389) conn=3 op=0 BIND dn= method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=3 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=3 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire = bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost) Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft
Re: [gentoo-user] Ldap authentication issues.
On Mon, May 3, 2010 at 09:41, Indexer inde...@internode.on.net wrote: I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 What does you ssh file in /etc/pam.d look like? Ward
Re: [gentoo-user] Ldap authentication issues.
On 03/05/2010, at 9:16 PM, Daniel Troeder wrote: I haven't set this up on gentoo, only on debian-server with ubuntu-clients... Does NSS work already? Do you see the LDAP users/group after the passwd-users when you run $ getent passwd $ getent group Both show the correct user and group as defined in the ldap attributes passwd william:*:1:1:William Brown:/home/william:/bin/bash and group login:*:2:william Assuming you have configured /etc/nsswitch.conf: passwd: compat ldap group: compat ldap shadow: compat ldap (files ldap is OK too.) As long as that does not work, it doesn't make sense to continue to PAM. Is the password in /etc/ldap.secret OK? Mode should be 400. Try to see if the password for cn=Manager,dc=chocolate,dc=lan in there does have possibly problematic characters. The password is in there, and it does bind successfully (I accidentally posted the wrong output from slapd, I have been documenting my success / failures to try and piece this together) slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:39936 (IP=0.0.0.0:389) conn=0 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan method=128 conn=0 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 fd=13 ACCEPT from IP=127.0.0.1:23394 (IP=0.0.0.0:389) conn=1 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan method=128 conn=1 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan mech=SIMPLE ssf=0 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 fd=13 closed (connection lost) conn=2 fd=13 ACCEPT from IP=127.0.0.1:38351 (IP=0.0.0.0:389) conn=2 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan method=128 conn=2 op=0 BIND dn=cn=Manager,dc=chocolate,dc=lan mech=SIMPLE ssf=0 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH base=ou=Admin,dc=chocolate,dc=lan scope=1 deref=0 filter=((objectClass=posixAccount)(uid=william)) conn=2 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= I need to use nscd on the clients. BTW: I use MDS/MMC (http://mds.mandriva.org/) on all debian servers for User/Samba/DNS/DHCP/Mail management with LDAP. It's really good. Ill take a look at it, thank you for the hint. The most trickiest part of setting up LDAP-clients is always PAM :( Fortunately for debian/ubuntu there are good guides. If you find out how to do it with gentoo, that info would be appreciated (gentoo-wiki?). I agree, and i most likely will do a write up if i get it to work happily Good luck, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 William
Re: [gentoo-user] Ldap authentication issues.
On 03/05/2010, at 9:41 PM, Ward Poelmans wrote: On Mon, May 3, 2010 at 09:41, Indexer inde...@internode.on.net wrote: I am currently trying to make a ldap server which i can use to authenticate users. Sadly a large number of how to's are incomplete and don't work, so after reading alot of how to's and manuals I have got 99.9% of the way. On attempting to authenticate a user it denies the user access with a error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM: authentication error for william from 172.20.0.1 What does you ssh file in /etc/pam.d look like? # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so #accountrequired/usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass Ward I was under the impression that SSH was able to use pam from the system module? I will try this out now uncommenting the ldap settings.