?
Solved

Authenicate Debian Linux client against LDAP server

Posted on 2009-12-28
30
Medium Priority
?
1,046 Views
Last Modified: 2013-12-24
I am trying to authenticate users of a Debian box against a LDAP v3 server. The LDAP server does not allow for anonymous bindings but we do have a service account to bind with and it has been test using a PHP application. We would like the users to be able to login via SSH with their LDAP login so PAM will have to modified to play nicely with the remote LDAP server. Thus far when I attempt to login via SSH with a LDAP user account the auth.log states "Failed password for invalid user XYZ from 127.0.0.1. On a side note I would like the user to be able to login even if their account doesn't exist in the /etc/passwd

/etc/pam_ldap.conf
base ou=People,o=company
uri ldap://ldapserver
ldap_version 3
binddn cn=binduser,o=company
bindpw password
pam_password crypt

 /etc/ldap/ldap.conf
BASE    ou=People,o=company
URI     ldap://ldapserver
pam_login_attribute uid
pam_crypt local
pam_filter objectclass=posixAccount

 /etc/libnss-ldap.conf
base ou=People,o=company
uri  ldap://ldapserver
ldap_version 3
bind_policy soft
binddn cn=binduser,o=company
bindpw password

/etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
0
Comment
Question by:adamshields
  • 15
  • 14
30 Comments
 
LVL 41

Accepted Solution

by:
noci earned 2000 total points
ID: 26133357
In stead of pam_ldap you can use nss_ldap.
add ldap to nssswitch.cof (passwd, shadow & group lookup) as you did
and  setup /etc/ldap.conf for access to the remote server.   (that might be libnss_ldap.conf on your system..?).
For root access you would need /etc/ldap.secret as priv/ password.

Besides authenticating you also need to setup some mapping...

nss_base_passwd         cn=users,dc=xxxx,dc=xx?sub?objectClass=posixAccount
nss_base_shadow         cn=users,dc=xxxx,dc=xx?sub?objectClass=shadowAccount
nss_base_group          cn=groups,dc=xxxx,dc=xx?sub
#
0
 
LVL 3

Author Comment

by:adamshields
ID: 26133563
I don't think I need the "rootbinddn" and secret file since I'm not binding client using the root account, instead I'm using the "binddn".

In regards to the entires in the "libnss-ldap.conf", should the posixAccount be used or specify the dn such as "uid" in my case?

nss_base_passwd         cn=users,dc=xxxx,dc=xx?sub?objectClass=posixAccount
nss_base_shadow         cn=users,dc=xxxx,dc=xx?sub?objectClass=shadowAccount

Where should failure messages appear as it still doesn't seem that ssh is even trying the LDAP server.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26133712
Also note that when using the "ldapsearch" tool I have to use the "-x" toggle:

-x  Use simple authentication instead of SASL.

Not sure if this helps or not...
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 3

Author Comment

by:adamshields
ID: 26133740
$ ldapsearch -x -v -H ldap://ldapserver -b "ou=People,o=company" -D "cn=binduser,o=company" -w password "(uid=xyz)"

Will bind to server as "binduser" and retrieve attributes for user "xyz". Just trying to help paint out the org structure ;-)
0
 
LVL 41

Expert Comment

by:noci
ID: 26134068
nss_base_passwd         ou=People,o=Company?sub?objectClass=posixAccount
nss_base_shadow         ou=People,o=Companoy?sub?objectClass=shadowAccount

nss_base_group             ou=People,o=Company?sub

Yes and the profiles need to be of type posixaccount. so that all needed fields are actually available.
if fields are missing then there is a problem anyway.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26139548
So the fields need to be available on the LDAP server or the client? I would assume they do not need to be on the LDAP server as I am able to authenticate users via various PHP scripts without a problem....
0
 
LVL 41

Assisted Solution

by:noci
noci earned 2000 total points
ID: 26139632
the fields need to be available in the ldap database. (= server) so they can be requested by the client.
The login process (ssh, login, etc) calls  getpwent() (libc call) which  requires a username(uic name), password field, user id (number), group id (number), comment field, home directory and a shell specification.

If a field is missing ==> non valid = no entry. The posixAccount class requires the right fields.
For the shadow passwords an x is in the passwd password field and the additional password lifetime fields are in the shadowAccount class.
 If you only request a username + password pair or try to authenticate using a username & password you dont need all the posix fields. But as soon as you want to create a process in name of a user then you do need the basic info...
see (man getpwent) and brethren for more info.
0
 
LVL 41

Expert Comment

by:noci
ID: 26139677
by requesting the posixAccount class only entries also the search list is filtered on potentialy valid entries.

btw, on my systems most users are identified by LDAP entries. Only server accounts, root & 2 other administrator accounts have local entries available.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26140201
Okay, I think I'm getting ahead of myself. The client doesn't even seem to be trying to auth against the LDAP server. I'm still getting  "Failed password for invalid user" in the auth.log
0
 
LVL 41

Assisted Solution

by:noci
noci earned 2000 total points
ID: 26140837
Setting up authentication mechanisms should be tested first with "simple known to work good" tools....
like
  ldapsearch
to verify that ldap is indeed reachable in the intended way. (indeed simple bind).
then f.e.
  id
(part of coreutils). which just does a getpwnam()
You can use ltrace to track what exactly fails. ( in terms of library calls,  or use strace for system calls).

strace might reveal network connection problems etc. If that works you can go ahead and implement other uses...



0
 
LVL 3

Author Comment

by:adamshields
ID: 26140847
I was able to use ldap search to retrieve a users login as mentioned in a previous post.
0
 
LVL 6

Expert Comment

by:Syngin9
ID: 26145439
Have you checked out Likewise?  They have an open source client that may work for you:

http://www.likewise.com/
0
 
LVL 3

Author Comment

by:adamshields
ID: 26145684
Syngin9,

I shouldn't need to use a third party to authenticate the LDAP client against the LDAP server. I'm not trying to authenticate against AD, if I was that wouldn't be a problem as it's a lot easier then what I'm trying to do for some reason :p
0
 
LVL 41

Assisted Solution

by:noci
noci earned 2000 total points
ID: 26159335
rootbinddn is the account used IF root does the bind (to gain extra rights if possible, like changing the password of a user)...

ldapsearch means your LDAP is operational and accesible.

The posix/shadow classes (for the nss query) ensure that all required fields are available.
If fields are missing then the query would fail anyway...
Requirements for a generic UNIX account have been stated before:
the next is a line from the passwd file:

nx:x:2008:468::/usr/NX/home/nx:/usr/NX/bin/nxserver

All fields are required.., except for the GCOS field. (uic, password, uid, gid, GCOS field, home directory, command shell ) all separated by colons.
The posix Class requires the various fields to be present if you add the class to a user profile.
All fields are requested by the getpwnam() service used by the login(), sshd() etc. programs that want to authenticate users.

see 'man getpwnam' for more info.
0
 
LVL 41

Assisted Solution

by:noci
noci earned 2000 total points
ID: 26169301
I know, that was the example for the next step.... if id gives you anything like a user from ldap
next step tackled.

try
   id root             # from /etc/passwd
and
   id {userfrom ldap}

the {userfrom ldap} should as a whole be replaced, by say "johndoe" if that is a uid from LDAP.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26171628
Hmmm

Of course the root user on the local machine exists.
uid=0(root) gid=0(root) groups=0(root)

No such luck authenicating the LDAP
id: ldapuser: No such user
0
 
LVL 41

Expert Comment

by:noci
ID: 26172273
ok, now you try ltrace/strace id ldapuser.....
to trace where it goes wrong

ltrace might return a hint....

strace will return a LOT and part of it is usable.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26173229
Hmm, strace did produce an interesting bit:

futex(0xb7c2e564, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/libnss-ldap.conf", O_RDONLY) = -1 EACCES (Permission denied)
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3

though run via sudo I didn't get that message and of course still get the "No such user".
0
 
LVL 41

Expert Comment

by:noci
ID: 26179686
chmod a+3 /etc/libnss-ldap.conf

should fix that..., or running nscd to query & cache information.

IF there are no errors then the wrong questions are asked against the LDAP database...
The query should at least be partial readable in the strace output (in reads & writes to the ldap socket.


0
 
LVL 3

Author Comment

by:adamshields
ID: 26194131
I see in strace where the LDAP server is being contacted but can't see where at what portion is failing.  I must me asking the wrong question.
0
 
LVL 41

Expert Comment

by:noci
ID: 26195856
If you ask is there a profile with uid=X and answer with fields A,B,C
(and C is missing)  the system calls will succeed, but after a bunch of writes (the LDAP query) a few reads should contain the answer (and data) in the buffer read back.

You can mimmick the query to th ldap database with ldap search...

 ldapsearch -h host -D BindDN -w secret -b BaseDN '(&(uid=XXXXXX)(objectclass=posixAccount))' uid uidnumber gidnumber homeDirectory loginShell

Should return all requested fields....
0
 
LVL 41

Expert Comment

by:noci
ID: 26195864
Like:
#Some usinr info
dn: cn=XXXX,cn=users,.....
gidNumber: 100
homeDirectory: /home/XXXX
uidNumber: 200
loginShell: /bin/bash
uid: XXXX

0
 
LVL 3

Author Comment

by:adamshields
ID: 26200418
I just get dn, uid and some other organization specific values but no homeDir, shell, etc...
0
 
LVL 3

Author Comment

by:adamshields
ID: 26200433
My train of thought was if a user is valid or the authentication is a success then let the user login using uid.
0
 
LVL 41

Expert Comment

by:noci
ID: 26206284
Part of a users profile (for a process) is the home directory.
Another part is the shell that needs to be started...
also the uidNumber, gidNumber are needed as this is what realy identifies a user for unix/linux.... all ownership items are based on the numbers not the names...  besides being the initial lookup key the uid is not used....
(ls does a reverse lookup though it gets a list of files with a uidNumber as owner and it then looksup al those numbers   (using the getpwuid, which is the companion of getpwnam but uses the uidNumber as key)
0
 
LVL 3

Author Comment

by:adamshields
ID: 26210633
Hmm, okay because I've joined machines to Active Directory before and been able to authenticate users that didn't have local account and when they logged in via say SSH and didn't have a local account it would just drop them in a default shell. Is that not possible with LDAP?
0
 
LVL 41

Expert Comment

by:noci
ID: 26216991
One way or the other the uidnumber, gidnumber & home directory ARE required, if shell is not passed /bin/sh is assumed.

A home directory IS provided by windows AD, all kind of bridges between AD & unix probably provide a way to map (possibly dynamically) uid & gid numbers.
At least the samba one does.
0
 
LVL 3

Author Comment

by:adamshields
ID: 26295914
I'm still looking into the issue, not abandoned...
0
 
LVL 41

Expert Comment

by:noci
ID: 26526491
any progress? Any supplemental info/questions?
0
 
LVL 3

Author Comment

by:adamshields
ID: 26572475
@noci,

I haven't been able to work on this but I will assign points as I believe that the problem I have is due to not having the resources that I need from the server side.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Access is a place to store data within tables and represent this stored data using multiple database objects such as in form of macros, forms, reports, etc. After a MS Access database is created there is need to improve the performance and…
Creating a Cordova application which allow user to save to/load from his Dropbox account the application database.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question