Really, I think this comes down to how to: * ppolicy_forward_updates requiring priviledges * authentication NOT requiring priviledges
How do I split the two? Let ppolicy forward updates, which requires priviledges, and NOT specify any authentication while user's are authenticating?
Thanks, - chris
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Chris Jacobs Sent: Thursday, April 29, 2010 2:55 PM To: openldap-technical@openldap.org Subject: ppolicy master/slave issue
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals General use: Slave handles all reads locally. Writes get forwarded to the master by the slave.
Password policy: When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves. I understand this would be done using the ppolicy option: ppolicy_forward_updates
Authentication: Actually authenticate (more later).
To the problem: --------------- When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root): * ppolicy_forward_updates seems to work great - the master shows matching "pwdFailureTime" attributes. * Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious. I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf: * authentication actually requires authentication (bad password = no authentication) * ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the: * a master slapd.conf (sans schema includes) * a slave slapd.conf (sans schema includes) * /etc/ldap.conf (using slave) * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same) * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types).
Thanks for any help (and, likely, pointing out any 'stupids' below), - chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over) ---------------------------------------------------------------------- serverID 1 loglevel 0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile /usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited database bdb suffix "dc=example,dc=net" rootdn "cn=root,dc=example,dc=net" rootpw "secret" directory "/usr/local/var/openldap-data" include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq index rack eq index entryUUID eq index uniqueMember eq index entryCSN eq index site eq overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 10 syncrepl rid=2 provider=ldaps://ldapmaster2.corp.example.net type=refreshAndPersist interval=00:00:10:00 searchbase="dc=example,dc=net" bindmethod=simple binddn="cn=root,dc=example,dc=net" credentials="secret" retry="15 20 60 +" mirrormode on database monitor
SLAVE slapd.conf: ----------------- serverID 13 loglevel 0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile /usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited overlay chain chain-uri ldaps://ldap-vip.corp.example.net/ chain-rebind-as-user TRUE vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv chain-idassert-bind bindmethod="simple" binddn="cn=root,dc=example,dc=net" credentials="secret" mode="self" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ chain-tls ldaps chain-return-error TRUE database bdb suffix "dc=example,dc=net" rootdn "cn=root,dc=example,dc=net" rootpw "secret" directory "/usr/local/var/openldap-data" include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq index rack eq index entryUUID eq index uniqueMember eq index entryCSN eq index site eq overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout ppolicy_forward_updates syncrepl rid=1 provider=ldaps://ldap-vip.corp.example.net type=refreshAndPersist interval=00:00:10:00 searchbase="dc=example,dc=net" bindmethod=simple binddn="cn=root,dc=example,dc=net" credentials="secret" retry="15 20 60 +" updateref "ldaps://ldap-vip.corp.example.net" database monitor
/etc/openldap/ldap.conf: (same on all LDAP servers) --------------------------------------------------- uri ldaps://localhost base dc=example,dc=net network_timeout 0 sizelimit 0 timelimit 0 tls_cacert /etc/openldap/cacerts/cacert.pem tls_reqcert demand
/etc/ldap.conf: (on client using slave) --------------------------------------- uri ldaps://ldap-vip.dc1.example.net timelimit 10 bind_timelimit 10 bind_policy soft base dc=example,dc=net scope sub ssl on tls_checkpeer no tls_cacertfile /etc/openldap/cacert.pem (contents same as /etc/openldap/cacerts/cacert.pem) pam_login_attribute uid pam_lookup_policy yes pam_password exop
/etc/pam.d/system-auth-ac: -------------------------- auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.