Re: LDAP pam
Hi, Could someone confirm my understanding: 1) things like getent(1), getpwnam(3) use: /etc/nsswitch /usr/local/etc/nss_ldap.conf 2) things like sshd, with pam_ldap use: /usr/local/etc/ldap.conf So if I have different filter in /usr/local/etc/nss_ldap.conf and /usr/local/etc/ldap.conf I can have a different list of users that would apply to getent and sshd. The purpose is to have all the users listed in getent, but only some allowed to login into the machine. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
LDAP pam
Hi, I have a LDAP server, a file server running NFS server and a web server running NFS client. I want the web server to be able to know the users' account stored on LDAP, but not provide authentication; so I can have URL's of the form http://my.web/~john/index.html for the user john, where john's home directory if NFS mounted from the file server, but I don't want john to be able to log onto the web server. Of course certain users will be allowed to log onto the web server. How can this be done with LDAP and PAM. TIA, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: LDAP pam
Monday 23 February 2009 10:37:19 Olivier Nicole napisał(a): I want the web server to be able to know the users' account stored on LDAP, but not provide authentication; so I can have URL's of the form http://my.web/~john/index.html for the user john, where john's home directory if NFS mounted from the file server, but I don't want john to be able to log onto the web server. Of course certain users will be allowed to log onto the web server. How can this be done with LDAP and PAM. TIA, Olivier If you don't want to let users logon to server through SSH you can use DenyUsers/AllowUsers directive in sshd_config As for LDAP and PAM/system there should be some howtos on the net. Shortly: you will need to install nss_ldap and pam_ldap and setup it correctly to get users from ldap showing in your system. Maciek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
On Monday 01 October 2007 20:29, Brian A. Seklecki wrote: On Mon, 1 Oct 2007, Jonathan McKeown wrote: The passwd(1) program was rewritten some time ago to use PAM, but a test was left in which prevents it doing so. I have asked, both on this list and on freebsd-hackers in the last few weeks, whether there is any reason other than historical to leave this test in, and been deafened by the silence. There are a couple of PRs either open or suspended regarding this issue. I diked out the whole switch statement and replaced it with a single printf, and it works for changing LDAP passwords. I haven't thoroughly tested to see if it causes any other problems. Does it log in as the LDAP user or the PAM super-user to do the attribute change? I'll check out the source...but that's great news. ~BAS From what I remember you have to add some additional configuration in the pam_ldap config file - pam_password exop seems to ring a bell - which tells pam_ldap to use the RFC3062 Password Modify extended operation. I think it does it as the user who owns the password so you need something like access to attrs=userPassword by self write by * auth in slapd.conf. I was actually fiddling with this to try and get pam_pGINA working: if anyone has had any joy with that I'd be interested to hear about it. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
All right, here's next step. As I mentioned, I linked both local/etc/ldap.conf and local/etc/nss_pam.conf symbolically to /local/etc/openldap/ldap.conf (OpenLDAP's ldap.conf). This file only contains a restricted common subset of options understood by OpenLDAP's clients, nss_ldap and pam_ldap. Obviously, this did not work (again: I already installed successfully OpenLDAP, nss_ldap and pam_ldap!). So I turned to have separate files for each library and facility. The only thing I changed was the default dc=xxx tags and the uri tag to access either local socket, local secure port or local normal port. On all three facilities OpenLDAP was listening, as sockstat(1) reported positively. Well, I also changed /etc/nsswitch.conf to look first for 'giles', the nfor 'ldap' for group and passwords. I also have ACLs defined in slpad.conf. The problem at the moment is, when nss_ldap running, login as root on console takes several minutes (like a NIS server has gone away and I thing nss_ldap does not reach its LDAP server so it is of the same quality like a missing NIS). I tried to avoid this having 'files' prior to 'ldap' in nsswitch.conf, but that does not work. Logins from outside is impossible, I see a lot of error messages on console nss_ldap can't contact it's OpenLDAP server. When logged in on console, I can do a simple slapcat(1) and get a lot of definitions, so tis shows a running and resping OpenLDAP server. I feel seriously desperate because I don't know how to trace the communication paths between the pam/nss clients and the OpenLDAP server. At the beginning of setting up the environment, I followed strictly suggestions and examples shown in the OpenLDAP tutorials from OpenLDAP itself - but with no success! Other tutorials around the web targetting mostly outdated environments (FreeBSD 5.1, older OpenLDAP versions or strange Linux setups). In my case, I expect some errors from the OpenLDAP server if a client tries to access the server itself without having permissions granted accessing, reading or even writing to the directory, but all I get is a failure in connecting to the OpenLDAP server as it would not exists. This is strange! maybe it is also a problem with the TLS/SLL facility, but this should also be reported either by the client or the OpenLDAP server itself. But nothing is shown so far reflecting a problem. Without any SSL/TLS certifacte for encryption, I end up in the same strange problem. Even SAMBA struggles when connecting to LDAP services - because it also can not find the target. So, I suspect some problems with FreeBSD 7.0-CURRENT. Is nobody out here utilizing FBSD 7.0 in combination with OpenLDAP (most recent version as taken from the ports in conjunction with pam_ldap/nss_ldap)? Strange, regards, Oliver Brian A. Seklecki wrote: There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . You need to set a variety of settings there. What do they look like? Remember: pkg_info -L pam_ldap nss_ldap! Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes and bangs with -current. ~BAS On Fri, 28 Sep 2007, O. Hartmann wrote: Thank you for responding. So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html First, OS ist the most recent FreeBSD 7.0. OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default PAM_LDAP NSS_LDAP I renamed cached.conf to nscd.conf as suggested (for your information). In /etc/nsswitch.conf I changed # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also changed /etc/pam.d/sshd to this: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password
passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
On Friday 28 September 2007 16:29, Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS - LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. The passwd(1) program was rewritten some time ago to use PAM, but a test was left in which prevents it doing so. I have asked, both on this list and on freebsd-hackers in the last few weeks, whether there is any reason other than historical to leave this test in, and been deafened by the silence. There are a couple of PRs either open or suspended regarding this issue. I diked out the whole switch statement and replaced it with a single printf, and it works for changing LDAP passwords. I haven't thoroughly tested to see if it causes any other problems. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
Does it log in as the LDAP user or the PAM super-user to do the attribute change? I'll check out the source...but that's great news. ~BAS On Mon, 1 Oct 2007, Jonathan McKeown wrote: On Friday 28 September 2007 16:29, Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS - LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. The passwd(1) program was rewritten some time ago to use PAM, but a test was left in which prevents it doing so. I have asked, both on this list and on freebsd-hackers in the last few weeks, whether there is any reason other than historical to leave this test in, and been deafened by the silence. There are a couple of PRs either open or suspended regarding this issue. I diked out the whole switch statement and replaced it with a single printf, and it works for changing LDAP passwords. I haven't thoroughly tested to see if it causes any other problems. Jonathan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . You need to set a variety of settings there. What do they look like? Remember: pkg_info -L pam_ldap nss_ldap! Also, not sure about the TCP FIN_2 issue -- probably just the usual shakes and bangs with -current. ~BAS On Fri, 28 Sep 2007, O. Hartmann wrote: Thank you for responding. So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html First, OS ist the most recent FreeBSD 7.0. OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default PAM_LDAP NSS_LDAP I renamed cached.conf to nscd.conf as suggested (for your information). In /etc/nsswitch.conf I changed # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also changed /etc/pam.d/sshd to this: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass Both configuration files for nss_ldap and pam_ldap respective got linked to /usr/localetc/openldap/ldap.conf, which looks like this: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASEdc=foo,dc=org #URIldapi:/// URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ #SSL start_tls #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERT#TLS_CERT #TLS_KEY #TLS_REQCERTallow #TLS_REQCERTdemand #TLS_CHECKPEER yes My /etc/rc.conf.local file has the following OpenLDAP specific entry: ### ### OpenLDAP Server ### ### slapd_enable=YES #slapd_flags='-d 3 -4 -s 4 -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///' slapd_flags='-4 -s 4 -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.210 ldaps://192.168.2.210' slapd_sockets=/var/run/openldap/ldapi My OpenLDAP config file has SSL-certificates disabled. After the installation of nss_ldap the slapd server takes several decades of seconds to start. But it starts well and after it has initiated itself, I can do on the server a simple 'slapcat' and receive. But I can't access the LDAP server. Doing an 'id testuser' results in 'id not found'. On the console, I receive massively errors like this: TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18PUSH,ACK; tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending RST and removing tcpcb Well, I checked sockstat for a listening slapd and I found slapd listening on both loopback, local NIC adn on both ports 389 and 636. So what is wrong ? Regards, a desperate Oliver Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS - LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. Like Oracle, you can either understand OpenLDAP ACLs, or you have real work to do :} Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* -- set to debug 1 to get debugging info. Feel free to share error messages. ~BAS On Fri, 2007-09-28 at 10:54 +, O. Hartmann wrote: Hello out there, I have a problem with setting up an FreeBSD box as OpenLDAP server with several services, like SAMBA, NFS. The
FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
Hello out there, I have a problem with setting up an FreeBSD box as OpenLDAP server with several services, like SAMBA, NFS. The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL certificate. SAMBA is also up and running - but it never connects to the OpenLDAP server due to an connection error, but this shouldn't be the subject here, I have more basic questions about what FreeBSD already has and what to install additionally. I want customers to log in on the FBSD box, so they sould log in (authenticated via OpenLDAP), change their passwords and shells and those user specifica should be updated on the LDAP server. I already installed pam_ldap-port but ran into trouble because FreeBSD's nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server (and not files). Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, especially if SSL/TLS come into play and I would like to ask those herein administering those setups, especially within a hybrid NFS/SAMBA fileservicing environment, where to find up to date informationes/howto/tipps. Most websites and HowTo's I found were Linux related or, if related to FreeBSD, outdated. Sorry beeing so unspecific, but the problem is complex (to me) so I would better ask for those who are willing to help or give hints and tips. Thanks in advance and for your patience, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
FreeBSD 5.x and 6.x work fine with both PAM and NSS - LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. Like Oracle, you can either understand OpenLDAP ACLs, or you have real work to do :} Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* -- set to debug 1 to get debugging info. Feel free to share error messages. ~BAS On Fri, 2007-09-28 at 10:54 +, O. Hartmann wrote: Hello out there, I have a problem with setting up an FreeBSD box as OpenLDAP server with several services, like SAMBA, NFS. The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL certificate. SAMBA is also up and running - but it never connects to the OpenLDAP server due to an connection error, but this shouldn't be the subject here, I have more basic questions about what FreeBSD already has and what to install additionally. I want customers to log in on the FBSD box, so they sould log in (authenticated via OpenLDAP), change their passwords and shells and those user specifica should be updated on the LDAP server. I already installed pam_ldap-port but ran into trouble because FreeBSD's nss obviously does not have a tag 'ldap' to refere to an OpenLDAP server (and not files). Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, especially if SSL/TLS come into play and I would like to ask those herein administering those setups, especially within a hybrid NFS/SAMBA fileservicing environment, where to find up to date informationes/howto/tipps. Most websites and HowTo's I found were Linux related or, if related to FreeBSD, outdated. Sorry beeing so unspecific, but the problem is complex (to me) so I would better ask for those who are willing to help or give hints and tips. Thanks in advance and for your patience, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
Thank you for responding. So, I'll feel free reporting my bad luck. This is a reference page I consulted for some hints, but without success: http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html First, OS ist the most recent FreeBSD 7.0. OpenLDAP is openldap-server-2.3.38, standard config, no SASL support or anything else apart from default PAM_LDAP NSS_LDAP I renamed cached.conf to nscd.conf as suggested (for your information). In /etc/nsswitch.conf I changed # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also changed /etc/pam.d/sshd to this: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the sshd service # # auth authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authsufficient pam_ssh.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so #accountrequiredpam_krb5.so account requiredpam_login_access.so account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass Both configuration files for nss_ldap and pam_ldap respective got linked to /usr/localetc/openldap/ldap.conf, which looks like this: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASEdc=foo,dc=org #URIldapi:/// URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ #SSL start_tls #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERTallow #TLS_REQCERTdemand #TLS_CHECKPEER yes My /etc/rc.conf.local file has the following OpenLDAP specific entry: ### ### OpenLDAP Server ### ### slapd_enable=YES #slapd_flags='-d 3 -4 -s 4 -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///' slapd_flags='-4 -s 4 -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.2.210 ldaps://192.168.2.210' slapd_sockets=/var/run/openldap/ldapi My OpenLDAP config file has SSL-certificates disabled. After the installation of nss_ldap the slapd server takes several decades of seconds to start. But it starts well and after it has initiated itself, I can do on the server a simple 'slapcat' and receive. But I can't access the LDAP server. Doing an 'id testuser' results in 'id not found'. On the console, I receive massively errors like this: TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18PUSH,ACK; tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, sending RST and removing tcpcb Well, I checked sockstat for a listening slapd and I found slapd listening on both loopback, local NIC adn on both ports 389 and 636. So what is wrong ? Regards, a desperate Oliver Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS - LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. Like Oracle, you can either understand OpenLDAP ACLs, or you have real work to do :} Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* -- set to debug 1 to get debugging info. Feel free to share error messages. ~BAS On Fri, 2007-09-28 at 10:54 +, O. Hartmann wrote: Hello out there, I have a problem with setting up an FreeBSD box as OpenLDAP server with several services, like SAMBA, NFS. The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also acting as OpenLDAP server. So far. OpenLDAP is up and running, using TLS/SSL certificate. SAMBA is also up and running - but it never connects to the OpenLDAP server due to an connection error, but this shouldn't be the subject here, I have more basic questions about
LDAP + PAM + pam_groupdn (revisited)
Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS :} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003. in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a group, as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D cn=bofh,dc=root,dc=com -b dc=root,dc=com -H ldap://ldapserver -Z -W (objectClass=posixGroup) Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass ...when I change account ..pam_ldap.so to sufficient, it allows users in who aren't in the required group (as it should if the check fails). When I change it to required, it doesn't let them in, but there isn't a single useful debugging error message. How could something so widely used as PAM make it into the wild without hooks for debugging? ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS :} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [ldap] Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
right! ...from pam_ldap(5): PAM CONFIGURATION It is possible to configure some aspects of pam_ldap on a per-service basis, in the PAM configuration file (this is usually /etc/pam.conf; for PAM implementations based on Linux-PAM, per-service files in /etc/pam.d are also supported). [..] debug: This option is recognized by pam_ldap but is presently ignored. ~bas AA [A On Thu, 6 Oct 2005, Jeff Saxton wrote: you can run pam modules in debug mode: The last option listed in a PAM configuration line supplies any additional arguments that should be passwd toe the module upon invocation. idebug/i Enables generation of debugtging information either to standard output or via the syslogd daemon Good luck Brian A. Seklecki wrote: This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003. in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a group, as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D cn=bofh,dc=root,dc=com -b dc=root,dc=com -H ldap://ldapserver -Z -W (objectClass=posixGroup) Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn try_first_pass ...when I change account ..pam_ldap.so to sufficient, it allows users in who aren't in the required group (as it should if the check fails). When I change it to required, it doesn't let them in, but there isn't a single useful debugging error message. How could something so widely used as PAM make it into the wild without hooks for debugging? ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: Did anyone every get this combination working? Is 'pam_member_attribute' supposed to be uniqueMember or memberUid? When you look at a postGroup entity, the multi-value attribute is memberUid! Is there *any* way at all get debugging information out of PAM libraries, or is it just so insanely esoteric that it's not an option? My favorite thing about PADL's documentation by far is the lack of examples. ~BAS :} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message. -- Jeff Saxton SenSage, Inc. 55 Hawthorne Street Suite 700 San Francisco, CA 94105 Phone: 415.808.5900 Fax:415.371.1385 Direct: 415-808-5921 Cell: 415-640-6392 mailto:[EMAIL PROTECTED] Enterprise Security Analytics SenSage, the leading provider of enterprise security analytics, offers unparalleled performance and a scalable means for organizations to centrally aggregate, efficiently analyze, dynamically monitor and cost-effectively store massive volumes of event log data. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: LDAP + PAM + pam_groupdn / pam_member_attribute (revisited)
Ahhh. Cheeky bastards. You sit around and think group for 18 hours with regard to POSIX Groups. Then it comes time to sit down and configure group membership login restriction. But really, they are entirely unrelated concepts. It even says in the man page: Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. Right? Right? But... pam_groupdn has absolutely nothing to do with whether the DN/RND of the user trying to authenticate contains an attribute uid=user1, which matches a memberUid multi-value attribute in any object type posixGroup. This is simply not what the code checks. That would make too much sense to use the symantics of UNIX / POSIX to make this determination. I.e., You're in that UNIX group, you can login. Instead, it checks to see if the entire DN of authenticating user/DN is in SOME/ANY multi-value attribute defined by pam_member_attribute. That explains why the authors of LDAP System Administration go to the trouble of creating an entirely different ou=Hosts (which, once again, is an entirely ambiguous name) for containing host/group objects (which are really supposed to be used for DNS!) with member: attributes for this purpose. What's more, the values of your pam_member_attribute, in this case memberUid, but really should be, memberDN, must be the entire DN and not an RDN. For example: memberDN: cn=Keyser Soze,ou=People,o=priv,dc=root,dc=com but this won't work (RDN?): memberDN: uid=ksoze,ou=People,o=priv,dc=root,dc=com [snip] $ ldapsearch blah blah # dev, posixGroups, priv, root, com dn: cn=dev,ou=posixGroups,o=priv,dc=root,dc=com cn: dev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: cn=Keyser Soze,ou=People,o=priv,dc=root,dc=com memberUid: cn=Am Biguity,ou=People,o=priv,dc=root,dc=com Of course, this isn't explained anywhere in the man page and has probably lead to unfathomable ammounts of similar confusion previously. One would naturally thing Oh, excellent, POSIX groups as ACLs for restricting access to groups of machines, but no :} A better name would be Cluster ACL or Host ACL or ACL Group HostGroup Object. Another option would be some kind of ldap.conf(5) style regular expression you could use to convert/match a POSIX ACL into a pam_groupdn. That would be nice and dirty and would keep par. Good times, good times. And now to go submit a send-pr(1) to the FreeBSD port maintainer with a patch to pam_ldap.5, pray it gets commited back upstream, and then drink myself blind in the left eye so I can never read another LDAP man page. ~BAS On Thu, 6 Oct 2005, Brian A. Seklecki wrote: This should be so insanely easy. I'm relatively certain this a FreeBSD PAM specific issue. From LDAP system administration [electronic resource] / Gerald Carter. 1st ed. Beijing ; Sebastopol, CA : O'Reilly, c2003. in ldap.conf and nss_ldap.conf -- # Group to enforce membership of pam_groupdn cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com # Group member attribute pam_member_attribute memberUid --- ...and then in LDAP, have an object, *ANY* object will function as a group, as long as it supports a multi-value attribute, in this case memberUid such as a posixGroup: # groupName, posixGroups, priv, root, dn dn: cn=groupName,ou=posixGroups,o=priv,dc=root,dc=com cn: cfdev objectClass: posixGroup objectClass: top gidNumber: 65532 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 ...this result returned by the same search I'm asking PAM to do: $ ldapsearch -D cn=bofh,dc=root,dc=com -b dc=root,dc=com -H ldap://ldapserver -Z -W (objectClass=posixGroup) Then adjust for PAM in SSHD: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account #accountrequiredpam_krb5.so account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user account requiredpam_unix.so # session #sessionoptionalpam_ssh.so session requiredpam_permit.so #session sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass # password #password sufficient pam_krb5.so no_warn try_first_pass passwordrequiredpam_unix.so no_warn try_first_pass #password required /usr/local/lib/pam_ldap.so no_warn
5.x - which to install? (Was Re: LDAP, pam, nss)
On 30 Aug, 2004, at 22:16, Konrad Heuer wrote: On Mon, 30 Aug 2004, Curtis Vaughan wrote: In order to get centralized logins to work on my Linux Debian computers (authenticating of a RedHat Samba server), I have to: install libnss-ldap libpam-ldap. Perform some configuration on the of /etc/libnss-ldap.conf and /etc/pam-ldap.conf files. Edit the /etc/nnsswitch.conf file. Then I can check that the packages have been installed by issuing the command nscd. Finally to get authentication happening in specific applications, I go to the directory /etc/pam.d/ and edit the service files there though which I want such authentication to occur. Now, of course, no one here is looking for instructions on how to do something on Linux, but I was now wondering what it is I need to do on my FreeBSD server to get this functionality working? I can't seem to find anything similar so far in my searches. Thanks for any pointers in the right direction. With FreeBSD 4.x, you won't get very far. But beginning with 5.x (not to say 5.2.1-R), it's very similar. Install the following ports: /usr/ports/security/pam_ldap /usr/ports/net/nss_ldap Edit /usr/local/etc/ldap.conf, build /etc/nsswitch.conf, and edit the files within /etc/pam.d. Regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, [EMAIL PROTECTED] Taking into consideration that I want this server to be a Postfix server w/Courier IMAP and as stable as possible and the aforementioned, of course, which version of 5.x should I install? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
LDAP, pam, nss
In order to get centralized logins to work on my Linux Debian computers (authenticating of a RedHat Samba server), I have to: install libnss-ldap libpam-ldap. Perform some configuration on the of /etc/libnss-ldap.conf and /etc/pam-ldap.conf files. Edit the /etc/nnsswitch.conf file. Then I can check that the packages have been installed by issuing the command nscd. Finally to get authentication happening in specific applications, I go to the directory /etc/pam.d/ and edit the service files there though which I want such authentication to occur. Now, of course, no one here is looking for instructions on how to do something on Linux, but I was now wondering what it is I need to do on my FreeBSD server to get this functionality working? I can't seem to find anything similar so far in my searches. Thanks for any pointers in the right direction. Curtis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: LDAP, pam, nss
On Mon, 30 Aug 2004, Curtis Vaughan wrote: In order to get centralized logins to work on my Linux Debian computers (authenticating of a RedHat Samba server), I have to: install libnss-ldap libpam-ldap. Perform some configuration on the of /etc/libnss-ldap.conf and /etc/pam-ldap.conf files. Edit the /etc/nnsswitch.conf file. Then I can check that the packages have been installed by issuing the command nscd. Finally to get authentication happening in specific applications, I go to the directory /etc/pam.d/ and edit the service files there though which I want such authentication to occur. Now, of course, no one here is looking for instructions on how to do something on Linux, but I was now wondering what it is I need to do on my FreeBSD server to get this functionality working? I can't seem to find anything similar so far in my searches. Thanks for any pointers in the right direction. With FreeBSD 4.x, you won't get very far. But beginning with 5.x (not to say 5.2.1-R), it's very similar. Install the following ports: /usr/ports/security/pam_ldap /usr/ports/net/nss_ldap Edit /usr/local/etc/ldap.conf, build /etc/nsswitch.conf, and edit the files within /etc/pam.d. Regards Konrad Heuer GWDG, Am Fassberg, 37077 Goettingen, Germany, [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]