LDAP Authentication and Authorization
Predrag Punosevac
punosevac72 at gmail.com
Thu Jun 22 19:28:14 UTC 2017
Hi Folks,
This is my first post to this mailing list after ten years so please bear
with me.
I am trying to migrate dozen file servers and jail hosts currently
running FreeNAS 9.2.1.9 or TrueOS (server edition of now dead PC-BSD)
10.3 to vanilla 11.0. I am having a real hard time with LDAP
authentication part on file server.
Before we go any further let me say that in our Lab use LDAP server from
the base of OpenBSD 6.1. We use LDAP for both authorization and
authentication. I have no intension to set Keberos server for
authentication. I also realized this morning that I might not even need
authentication part on FreeBSD file servers as regular users will
not be loggin into the file server. They will be only accessing their
home directories via NFS and I got authorization part working correctly.
However it really bothers me that I can't log into the FreeBSD machine
with LDAP account. Let me describe what I have done in the past and so
far.
FreeNAS 9.2.1.9 both authentication and authorization works like a charm
more or less following "official documentation".
https://www.freebsd.org/doc/en/articles/ldap-auth/
I tried to migrate FreeNAS server to PC-BSD 10.3 but I hit the wall.
https://forums.freebsd.org/threads/52989/
The most disturbing part was post in which I learnt about nss-pam-ldapd
"It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't
use the old security/pam_ldap and net/nss_ldap modules. They've been
abandoned years ago by their upstream and suffer from several severe
design errors. nslcd breaks the LDAP PAM and NSS modules into two parts.
One part is a daemon handling all the heavy work and the other are small
shims querying the daemon over a unix domain socket to implement the NSS
and PAM interface.
which "official documentation" never mentions. By the way the "official
documentation" worked flawlessly for DragonFly BSD.
https://marc.info/?l=dragonfly-users&m=141630435129956&w=2
While contemplating to migration to 11.xxx I was happy to learn that
FreeBSD got ypldap and was possibly contemplating moving away from PAM
insanity
https://www.freebsd.org/cgi/man.cgi?query=ypldap&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html
just to be totally discouraged by the following post
https://marc.info/?l=freebsd-questions&m=149746603212079&w=2
by one of long time FreeBSD users. I don't get why import ypldap code in
the base if FreeBSD is sticking to PAM craziness.
https://marc.info/?l=freebsd-questions&m=149746504411822&w=2
Anyhow this is what works on this file server and what doesn't'
OpenLDAP client works
root at hera:/usr/local/etc/openldap # more ldap.conf
BASE dc=autonlab,dc=org
URI ldap://atlas.int.autonlab.org:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
SSL START_TLS
TLS_REQCERT allow
TLS_CACERT /usr/local/etc/openldap/certs/ca.crt
TLS_CACERTDIR /usr/local/etc/openldap/certs
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
ldapsearch -ZZ -D "uid=predrag,ou=users,dc=autonlab,dc=org" -W
# mravanba, group, autonlab.org
dn: cn=mravanba,ou=group,dc=autonlab,dc=org
cn: mravanba
objectClass: top
objectClass: posixGroup
gidNumber: 1078
memberUid: mravanba
description: User Private Group
# search result
search: 3
result: 4 Size limit exceeded
# numResponses: 13
# numEntries: 12
Following the suggestion from FreeBSD forum threat and based on negative
comments about ypldap daemon I installed
net/nss-pam-ldapd
I configured nslcd daemon
root at hera:/usr/local/etc # more nslcd.conf
uid nslcd
gid nslcd
uri ldap://192.168.6.7/
base dc=autonlab,dc=org
rootpwmoddn cn=admin,dc=autonlab,dc=org
base group ou=groups,dc=autonlab,dc=org
base passwd ou=users,dc=autonlab,dc=org
# CA certificates for server certificate verification
tls_cacertdir /usr/local/etc/openldap/certs
tls_cacertfile /usr/local/etc/openldap/certs/ca.crt
and started it
root at hera:/usr/local/etc # cat /etc/rc.conf | grep nslcd
nslcd_enable="YES"
root at hera:/usr/local/etc # service nslcd status
nslcd is running with PID 1074.
I modified nsswitch.conf file
root at hera:~ # more /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z
markj $
#
# group: compat
group: files ldap
# group_compat: nis
hosts: files dns
netgroup: compat
networks: files
# passwd: compat
passwd: files ldap
# passwd_compat: nis
shells: files
# services: compat
services: files ldap
# services_compat: nis
protocols: files
rpc: files
and restart nsswitch daemon
I installed and linked users shells and mounted their home directories
for testing purposes to make sure they can log.
Finally this is my
root at hera:~ # more /etc/pam.d/sshd
#
# $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient /usr/local/lib/pam_ldap.so no_warn
no_fake_prompts
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn
allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass
# account
account sufficient /usr/local/lib/pam_ldap.so
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn
try_first_pass
password sufficient /usr/local/lib/pam_ldap.so
try_first_pass
password required pam_unix.so no_warn
try_first_pass
At this point
getent passwd
works like a charm
and I can even
root at hera:~ # su - predrag
auton at hera$
to my home directory
auton at hera$ pwd
/zfsauton/home/predrag
So at this point I feel like I have authorization part working correctly
and according to this documentation
https://arthurdejong.org/nss-pam-ldapd/setup
I should not be far away from authentication part as well (which I might
not even need on the file server). However when trying to ssh into the
server with LDAP credentials it fails
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: Confidentiality required
Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd">
uid=awd,ou=users,dc=autonlab,dc=org: "${shadowLastChange:--1}": password
changed in the future
Jun 22 15:19:28 hera sshd[2678]: error: PAM: authentication error for
awd from 10.8.0.6
and I also see bunch of other errors in /var/log/messages
Jun 22 02:55:00 hera nslcd[1074]: [65e7c4] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [923f5c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [7e2017] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:00:00 hera nslcd[1074]: [533840] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [f1fa0b] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:01:00 hera nslcd[1074]: [6d3dc2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:05:00 hera nslcd[1074]: [574d2f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:10:00 hera nslcd[1074]: [8cc0da] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:11:00 hera nslcd[1074]: [c96ec1] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:15:00 hera nslcd[1074]: [86bffd] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: Can't contact LDAP server
Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:30:00 hera nslcd[1074]: [6a7632] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root"> no
available LDAP server found, sleeping 1 seconds
Jun 22 03:31:01 hera nslcd[1074]: [7635f9] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:33:00 hera nslcd[1074]: [d1b46c] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:35:00 hera nslcd[1074]: [9c649f] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:40:00 hera nslcd[1074]: [9285d2] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:44:00 hera nslcd[1074]: [901b6e] <group/member="operator">
ldap_result() failed: No such object
Jun 22 03:45:00 hera nslcd[1074]: [f93502] <group/member="root">
ldap_result() failed: No such object
Jun 22 03:50:00 hera nslcd[1074]: [075f1e] <group/member="root">
ldap_search_ext() failed: Can't contact LDAP server: Operation not
permitted
I am stumpped at this point. I think I stumbled late last night on some
thread which claims that
pam_ldap is needed for authentication part. However trying to install
pam_ldap using pkg install also is deinstalling nss-pam-ldapd package.
That could be due to compiling options for nss-pam-ldapd. Maybe the
porter assumes I will set Kerberos for Authentication part.
I appologize for the very long e-mail but I wanted to leave electronic
trace for people who will looking for this. I appreciate any input.
Best,
Predrag
More information about the freebsd-questions
mailing list