Re: Re: OpenLDAP and SSH authentification
by Michel Dubois
It works since my last answer
Thank you guys
2010/4/22 Michel Dubois <dubois.michel(a)gmail.com>
> It works since my last answer
>
> Thank you guys
>
> 2010/4/22 Siddhartha Jain <sjain(a)silverspringnet.com>
>
> Michel,
>>
>> You did not specify what linux distro. That info will help. For example,
>> on CentOS/RH, all you have to do to enable pam_ldap auth is "
>> /usr/bin/authconfig --enableldapauth --update"
>>
>> Again, on RH/CentOS, this command changes /etc/pam.d/system-auth (linked
>> to system-auth-ac).
>>
>> ------------
>> cat /etc/pam.d/system-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth sufficient pam_ldap.so use_first_pass
>> auth required pam_deny.so
>>
>> account required pam_unix.so broken_shadow
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>> account required pam_permit.so
>>
>> password requisite pam_cracklib.so try_first_pass retry=3
>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password sufficient pam_ldap.so use_authtok
>> password required pam_deny.so
>>
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session required pam_unix.so
>> session optional pam_ldap.so
>> ---------------
>>
>>
>> For local users (root and several others), you want to disable LDAP
>> lookups. Otherwise, nss_ldap tries to look up these users in LDAP. Add this
>> to your /etc/ldap.conf:
>> "nss_initgroups_ignoreusers
>> root,bin,daemon,adm,mail,ftp,nscd,vcsa,sshd,dbus,avahi,haldaemon,ntp,ldap,named,apache"
>>
>> Hope this helps.
>>
>>
>> - Siddhartha
>>
>>
>>
>>
>> From: openldap-technical-bounces+sjain=silverspringnet.com(a)openldap.org[mailto:
>> openldap-technical-bounces+sjain <openldap-technical-bounces%2Bsjain>=
>> silverspringnet.com(a)openldap.org] On Behalf Of Mackey, Theral
>> Sent: Wednesday, April 21, 2010 10:05 AM
>> To: openldap-technical(a)openldap.org
>> Subject: RE: Re: OpenLDAP and SSH authentification
>>
>> You probably also want a line in the account section for pam_ldap.so.
>> Im not as familiar with opie (know what it is, just havent used it much),
>> but since it is set as requisite and before the ldap module, its possibly
>> failing your auth stack if you don't have it setup properly. Test with it
>> commented out using your ldap user, and again with ldap commented out using
>> a local user. Make sure ldap is working by itself (and the same for opie)
>> before laying other stuff on top of it. Consult the various pam-opie-ldap
>> integration guides on the best way to get that working together.
>>
>> Since you have pam.d/common-*, those are likely the files you will want to
>> edit rather than sshd. The sshd pam config file probably has a line that
>> includes the common stack files, which should already have the basic stack
>> in them, duplicating it in sshd will cause problems.
>>
>> (I assume this is a debian style system) Also check that your
>> pam_ldap.conf is setup the same as libnss-ldap.conf, you can probably
>> replace it with a symlink to libnss-ldap.conf.
>>
>> Don't use rootbinddn, use binddn or just comment them all out. rootbinddn
>> gets its password from a file and expects to be the root/cn=Manager user of
>> your directory. Its generally not needed for auth. The bindpw is the pw for
>> binddn, which should be a user that can read user/group entries, and auth to
>> userPassword. If your directory allows anonymous reads, you can comment both
>> out and pam will work with anonymous binds.
>>
>> You can generally leave the nss_base_* mappings all commented out unless
>> your directory is setup strangely, and you probably want pam_password set to
>> exop so that ldap handles passwords internally rather than forcing a method
>> (unless you have a reason for it (opie req?)).
>>
>>
>> -T
>>
>> From: openldap-technical-bounces+tmackey=zetta.net(a)OpenLDAP.org [mailto:
>> openldap-technical-bounces+tmackey <openldap-technical-bounces%2Btmackey>
>> =zetta.net(a)OpenLDAP.org] On Behalf Of dubois.michel(a)gmail.com
>> Sent: Wednesday, April 21, 2010 1:57 AM
>> To: openldap-technical(a)openldap.org
>> Subject: Re: Re: OpenLDAP and SSH authentification
>>
>> Thanks to all .........
>>
>> I add this following in the /etc/libnss-ldap.conf on the server side :
>> rootbinddn cn=proxyuser,dc=exemple,dc=org
>> bindpw proxy
>> pam_password MD5
>> nss_base_passwd ou=people,dc=exemple,dc=org?one
>> nss_base_shadow ou=people,dc=exemple,dc=org?one
>> nss_base_group ou=groups,dc=exemple,dc=org?one
>>
>> and I add this line in the /etc/pam.d/common-session file :
>> session required pam_mkhomedir.so skel=/etc/skel/
>>
>> for creating the home dir when the user is connecting for the first
>> time...
>>
>> Thanks for your help anyway...........
>>
>>
>>
>> Le , Ariel <ariel(a)bidcactus.com> a écrit :
>> > In your /etc/nsswitch.conf
>> >
>> >
>> > Try changing to these lines:
>> >
>> >
>> > passwd: files ldap
>> > group: files ldap
>> > shadow: files ldap
>> >
>> >
>> > Also in pam.d/sshd password section try adding:
>> >
>> >
>> > password sufficient pam_ldap.so
>> >
>> >
>> >
>> >
>> > To make much of this easier you might want to install packages something
>> like this for your distro:
>> > libpam-ldap
>> > libnss-ldap
>> > ldap-auth-client
>> > ldap-auth-config
>> >
>> >
>> > Good luck.
>> > -a
>> >
>> >
>> >
>> >
>> > On Apr 20, 2010, at 3:15 AM, Michel Dubois wrote:
>> >
>> > Hello Everyone,
>> >
>> > I'm newbie on OpenLDAP. I build a LDAP server with one user. I can see
>> this user when I did a "getent passwd" on my client. This is meaning that
>> my LDAP server is working and my client is connecting on the LDAP server.
>> >
>> > I already modify my /etc/pam.d/sshd file on t my client machine like
>> this :
>> >
>> >
>> > # auth
>> > auth required pam_nologin.so no_warn
>> > auth sufficient pam_opie.so no_warn no_fake_prompts
>> > auth requisite pam_opieaccess.so no_warn allow_local
>> > auth sufficient /usr/local/lib/pam_ldap.so no_warn
>> > auth required pam_unix.so no_warn try_first_pass
>> >
>> > # account
>> > account required pam_login_access.so
>> > account required pam_unix.so
>> >
>> > # session
>> > session required pam_permit.so
>> >
>> > # password
>> > password required pam_unix.so no_warn try_first_pass
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > But I can't be connected in shh mode on my client machine with the user
>> login ? And this modification disable my ssh root connection.
>> >
>> > What do I have to check?
>> > Regards,
>> >
>> > --
>> > -----------------------------------------------------------
>> > Michel Dubois
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>
>
>
> --
> -----------------------------------------------------------
> Michel Dubois
>
>
--
-----------------------------------------------------------
Michel Dubois
10 years, 12 months
Monitoring OpenLDAP Performance
by rahul.manchanda@bt.com
Good Morning All,
I need to capture the following stats for a serving LDAP.
total_connections
bytes_sent
completed_operations
initiated_operations
referrals_sent
entries_sent
bind_operations
unbind_operations
add_operations
delete_operations
modify_operations
compare_operations
search_operations
write_waiters
read_waiters
I have switched on the monitor mode on LDAP but not sure how can I get
these statistics from that.
Is there a way that I can capture these stats?
Many Thanks in advance!!
Regards
Rahul Manchanda
------------------------------------------------------------------------
----------------------------------
Andes , Selfcare Platform Build Team
tel: (+91) (20) 66018100 extn: 6178; e-mail:
rahul.manchanda(a)bt.com
11 years
OpenLDAP and SSH authentification
by Michel Dubois
Hello Everyone,
I'm newbie on OpenLDAP. I build a LDAP server with one user. I can see this
user when I did a "getent passwd" on my client. This is meaning that my
LDAP server is working and my client is connecting on the LDAP server.
I already modify my */etc/pam.d/sshd file on t my client machine like this
: *
*
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_login_access.so
account required pam_unix.so
# session
session required pam_permit.so
# password
password required pam_unix.so no_warn try_first_pass
*
But I can't be connected in shh mode on my client machine with the user
login ? And this modification disable my ssh root connection.
What do I have to check?
Regards,
--
-----------------------------------------------------------
Michel Dubois
11 years
Re: Using Replication Slave For Authentication
by Ariel
On Apr 20, 2010, at 1:50 PM, Sergiy Stepanenko wrote:
> On 04/20/2010 10:49 AM, Ariel wrote:
>> On Apr 20, 2010, at 12:20 PM, Sergiy Stepanenko wrote:
>>
>>> On 04/20/2010 06:12 AM, Ariel wrote:
>>>> I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this:
>>>>
>>>> ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W
>>>>
>>>> My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though.
>>>>
>>>> The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave:
>>>>
>>>> syncrepl rid=123
>>>> provider=ldaps://ldap1.domain.com:636
>>>> type=refreshAndPersist
>>>> searchbase="dc=domain,dc=com"
>>>> filter="(objectClass=*)"
>>>> scope=sub
>>>> schemachecking=off
>>>> bindmethod=simple
>>>> binddn="uid=syncuser,ou=People,dc=domain,dc=com"
>>>> credentials=syncpassword
>>>>
>>>> and on the master server:
>>>>
>>>> moduleload syncprov.la
>>>> overlay syncprov
>>>> syncprov-checkpoint 100 10
>>>> syncprov-sessionlog 100
>>>>
>>>> As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you.
>>>>
>>>> I have no idea how to debug this, any help would be greatly appreciated!
>>>>
>>>> -a
>>>>
>>>
>>> Hi
>>>
>>> If you can show ACL on master and slave it will help to understand why you cannot auth users against slave. From what you described, it looks like slave has either access restriction to userPassword and base DN for users or access fails. I also never noticed any TLS certificates configuration mentioned.
>>>
>>> --
>>> Sergiy Stepanenko
>>> Systems Administrator
>>> Information Technology Services
>>> University of Saskatchewan
>>> -----------------------------------
>>> phone: (306) 966-2762
>>> email:sergiy.stepanenko@usask.ca
>>
>>
>> Hey, thanks for the reply! I can only see the ACL on the slave using ldapsearch from CLI (every user I have tested has seen exactly only the information they are allowed), and all privileges seem to be in working order.
>>
>> When I use ApacheDS (or any other graphical client) using the same users, I only get the Root DSE which describes what Schema are loaded. Also, we do not use TLS, just ldaps protocol with simple authentication. All clients have `TLS_REQCERT allow` in their /etc/ldap/ldap.conf so a self signed ssl certificate on the server will work.
>>
> Make sure to use port 663 for SSL connection in ApacheDS, also check what bas DN is set up in Apache (Browser Options)
>> Connecting and authenticating from ldapsearch works, but no other mechanisms will work.
>>
>> I'm probably missing something so simple it would make me cry. Perhaps I should set the loglevel to something ridiculously high and see what it says?
> Try loglevel acl conns for starters and look at Apache search log. If it has been an error it would be there.
>>
>> -a
>
> Read log ldap or syslog where ever you point slapd output. I suspect that ldap appliances connect->bind->authenticate->access as self, but GUI clients fail to authenticate and resort in anonymous access level which normally looks like access to DSE entry only.
>
> --
> Sergiy Stepanenko
> Systems Administrator
> Information Technology Services
> University of Saskatchewan
> -----------------------------------
> phone: (306) 966-2762
> email:sergiy.stepanenko@usask.ca
Putting loglevel to -1 (everything) and logging in with ApacheDS as cn=admin,dc=domain,dc=com (which is supposed to supersede any ACL rules and have read/write to everything I believe) I find a whole lot of "access granted" lines and then towards the end":
=> access_allowed: search access to "cn=config" "entry" requested
=> slap_access_allowed: backend default search access denied to "cn=admin,dc=domain,dc=com"
=> access_allowed: no more rules
send_ldap_result: conn=0 op=8 p=3
send_ldap_result: err=32 matched="" text=""
Error 32 means object doesn't exist (I think). Which would be true, our LDAP tree has no cn=config. We get the same error on the primary server, so I suppose it is ApacheDS trying to look for what would be in the Apache LDAP implementation. But that's the only error I can find, everything else is miles and miles of "search access granted".
I tried to get it to list DN="dc=domain,dc=com" by hand from ApacheDS, and it would not return anything (it says "No base DN returned from server.") although in the logs it shows:
conn=6 op=3 SRCH base="dc=domain,dc=com" scope=0 deref=3 filter="(objectClass=*)"
conn=6 op=3 SRCH attr=hasSubordinates objectClass
=> hdb_search
bdb_dn2entry("dc=domain,dc=com")
=> access_allowed: search access to "dc=domain,dc=com" "entry" requested
<= root access granted
access_allowed: search access granted by manage(=mwrscxd)
base_candidates: base: "dc=domains,dc=com" (0x00000001)
send_ldap_result: conn=6 op=3 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=4 tag=101 err=0
But when I run the ldapsearch command (as any user) from other computers on the network it returns the DN's information... So I am thoroughly confused... I am pretty sure it is not logging in as anonymous, but I have no idea why only the ldapsearch command is the only thing that can authenticate and retrieve information. It is the same version of openldap as the primary server, it has the same exact config, it has all the same schema loaded, it has the exact full ldap tree. I'm going to explode!@$#@
-a
11 years
RPM spec file
by Joe Friedeggs
I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated.
Thanks in advance,
Joe
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID...
11 years
Outlook and Thunderbird Browsing Openldap
by Kalpin Erlangga Silaen
Hello all,
I have install openldap on CentOS 5.4 (via yum). I want use this openldap
for shared address book. I tested on thunderbird and outlook 2007 with
results below:
on thunderbird:
1. Compose new email, while I type some letter in field To: ; thunderbird
can lookup into openldap content
2. In Addressbook menu, I can lookup the content after put some letter in
search field and click search
3. in addressbook menu, while I click openldap addressbook, thunderbird can
not browse or display all contents (my openldap content only 3 address book
for test)
basicly I do not have problem with thunderbird integration openldap
on outlook 2007
1. Compose new email, while I type some letter in field To: ; outlook can
not lookup into openldap content
2. In Addressbook menu, I can lookup the content after put some letter in
search filend and click search.
3. In address book menu, while I click Openldap addressbook, outlook 2007
can not browse or display all contents (my openldap content only 3 address
book for test).
Is it possible to make outlook 2007 for below missions:
1. While compose new email, if I type some letter in field To: ; outlook
2007 supposed to lookup to openldap
2. In addressbook menu, if I click Openldap addressbook, suppose outlook
2007 display all content (limited in configuration)
Any idea?
Thank you
notes: sorry for my english
--
Regards,
Kalpin Erlangga Silaen
"Come now, and let us reason together," Says the LORD, "Though your sins are
like scarlet, They shall be as white as snow; Though they are red like
crimson, They shall be as wool.
---
URL: http://www.kalpin.us
YM: kalpinus(a)yahoo.com
MSN: kalpinus(a)hotmail.com
11 years
Implementing LDAP logging
by rahul.manchanda@bt.com
Hi All,
Even on specifying the loglevel and logfile directives in the slapd.conf
ldap related logs are not being written to the file.
However separate auditlog file is getting created successfully and all
the update/delete/modify/insert operations are getting recorded
successfully over there.
I need to get the ldap related log file created as well but that is
something not happening. Also tried specifying the LOCAL4 feature in the
syslog.conf and restarted the system logging service but no luck with
that as well.
I don't want to put the logging options in the ldap start up command
line argument but want the log file created from configuration itself.
Can someone please suggest on this and also is there a way to implement
log rotation for the ldap log file through configuration itself then
that will be really helpful.
Many Thanks in advance.
Regards
Rahul Manchanda
------------------------------------------------------------------------
----------------------------------
Andes , Selfcare Platform Build Team
tel: (+91) (20) 66018100 extn: 6178; e-mail:
rahul.manchanda(a)bt.com
Address: Tech Mahindra, Sharada Center, Erandwana Pune-4
11 years
how to constructure ldap entry when user status is changed
by owen nirvana
I have some user information ( with certificate ) ,like
cn = bob, dc= one, dc = two ,dc = org
sn: ..
userCertificate;binary::...
.. : ...
someday , if he would be revoked, should i move it to another entry (
replace a new dn ), like
cn = bob, dc = crl ,dc = two ,dc = org
or maybe I use the same entry , like
cn = bob, dc= one, dc = two ,dc = org
sn: ..
userCertificate;binary::...
.. : ...
revoked : true/false
revokeTime : ...
gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>
11 years
Using Replication Slave For Authentication
by Ariel
I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this:
ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W
My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though.
The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave:
syncrepl rid=123
provider=ldaps://ldap1.domain.com:636
type=refreshAndPersist
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=syncuser,ou=People,dc=domain,dc=com"
credentials=syncpassword
and on the master server:
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you.
I have no idea how to debug this, any help would be greatly appreciated!
-a
11 years
openLDAP architecture - centralized repository and authentication
by Marot Laurent
Hi all,
I'm far from being openLDAP and more generally Linux advanced user but I'd love to be if I could find some architecture guidance for the following use case. (I've only been playing from time to time with openLDAP on Windows boxes - shame on me :))
I'm currently using 30 Linux server in my business unit. Almost 10 different sysadmin have to administer those servers. I'd like to have a centralized directory gartering all those 30 x 10 accounts so that I could have one single place du manage my identities. All my servers could then authenticate agains this directory.
Could openLDAP and some adding tools provide me the right architecture to reach this goal ? Any pointer on this issue will please me ( Google only lead me to basical information about configuring openLDAP on standalone linux boxes)
Thanks a lot
LM
11 years
