adamshields
asked on
Authenicate Debian Linux client against LDAP server
I am trying to authenticate users of a Debian box against a LDAP v3 server. The LDAP server does not allow for anonymous bindings but we do have a service account to bind with and it has been test using a PHP application. We would like the users to be able to login via SSH with their LDAP login so PAM will have to modified to play nicely with the remote LDAP server. Thus far when I attempt to login via SSH with a LDAP user account the auth.log states "Failed password for invalid user XYZ from 127.0.0.1. On a side note I would like the user to be able to login even if their account doesn't exist in the /etc/passwd
/etc/pam_ldap.conf
base ou=People,o=company
uri ldap://ldapserver
ldap_version 3
binddn cn=binduser,o=company
bindpw password
pam_password crypt
/etc/ldap/ldap.conf
BASE ou=People,o=company
URI ldap://ldapserver
pam_login_attribute uid
pam_crypt local
pam_filter objectclass=posixAccount
/etc/libnss-ldap.conf
base ou=People,o=company
uri ldap://ldapserver
ldap_version 3
bind_policy soft
binddn cn=binduser,o=company
bindpw password
/etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
/etc/pam_ldap.conf
base ou=People,o=company
uri ldap://ldapserver
ldap_version 3
binddn cn=binduser,o=company
bindpw password
pam_password crypt
/etc/ldap/ldap.conf
BASE ou=People,o=company
URI ldap://ldapserver
pam_login_attribute uid
pam_crypt local
pam_filter objectclass=posixAccount
/etc/libnss-ldap.conf
base ou=People,o=company
uri ldap://ldapserver
ldap_version 3
bind_policy soft
binddn cn=binduser,o=company
bindpw password
/etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also note that when using the "ldapsearch" tool I have to use the "-x" toggle:
-x Use simple authentication instead of SASL.
Not sure if this helps or not...
-x Use simple authentication instead of SASL.
Not sure if this helps or not...
ASKER
$ ldapsearch -x -v -H ldap://ldapserver -b "ou=People,o=company" -D "cn=binduser,o=company" -w password "(uid=xyz)"
Will bind to server as "binduser" and retrieve attributes for user "xyz". Just trying to help paint out the org structure ;-)
Will bind to server as "binduser" and retrieve attributes for user "xyz". Just trying to help paint out the org structure ;-)
nss_base_passwd ou=People,o=Company?sub?ob jectClass= posixAccou nt
nss_base_shadow ou=People,o=Companoy?sub?o bjectClass =shadowAcc ount
nss_base_group ou=People,o=Company?sub
Yes and the profiles need to be of type posixaccount. so that all needed fields are actually available.
if fields are missing then there is a problem anyway.
nss_base_shadow ou=People,o=Companoy?sub?o
nss_base_group ou=People,o=Company?sub
Yes and the profiles need to be of type posixaccount. so that all needed fields are actually available.
if fields are missing then there is a problem anyway.
ASKER
So the fields need to be available on the LDAP server or the client? I would assume they do not need to be on the LDAP server as I am able to authenticate users via various PHP scripts without a problem....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
by requesting the posixAccount class only entries also the search list is filtered on potentialy valid entries.
btw, on my systems most users are identified by LDAP entries. Only server accounts, root & 2 other administrator accounts have local entries available.
btw, on my systems most users are identified by LDAP entries. Only server accounts, root & 2 other administrator accounts have local entries available.
ASKER
Okay, I think I'm getting ahead of myself. The client doesn't even seem to be trying to auth against the LDAP server. I'm still getting "Failed password for invalid user" in the auth.log
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to use ldap search to retrieve a users login as mentioned in a previous post.
Have you checked out Likewise? They have an open source client that may work for you:
http://www.likewise.com/
http://www.likewise.com/
ASKER
Syngin9,
I shouldn't need to use a third party to authenticate the LDAP client against the LDAP server. I'm not trying to authenticate against AD, if I was that wouldn't be a problem as it's a lot easier then what I'm trying to do for some reason :p
I shouldn't need to use a third party to authenticate the LDAP client against the LDAP server. I'm not trying to authenticate against AD, if I was that wouldn't be a problem as it's a lot easier then what I'm trying to do for some reason :p
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmmm
Of course the root user on the local machine exists.
uid=0(root) gid=0(root) groups=0(root)
No such luck authenicating the LDAP
id: ldapuser: No such user
Of course the root user on the local machine exists.
uid=0(root) gid=0(root) groups=0(root)
No such luck authenicating the LDAP
id: ldapuser: No such user
ok, now you try ltrace/strace id ldapuser.....
to trace where it goes wrong
ltrace might return a hint....
strace will return a LOT and part of it is usable.
to trace where it goes wrong
ltrace might return a hint....
strace will return a LOT and part of it is usable.
ASKER
Hmm, strace did produce an interesting bit:
futex(0xb7c2e564, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/libnss-ldap.con f", O_RDONLY) = -1 EACCES (Permission denied)
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
open("/usr/share/locale/lo cale.alias ", O_RDONLY) = 3
though run via sudo I didn't get that message and of course still get the "No such user".
futex(0xb7c2e564, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/libnss-ldap.con
rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
open("/usr/share/locale/lo
though run via sudo I didn't get that message and of course still get the "No such user".
chmod a+3 /etc/libnss-ldap.conf
should fix that..., or running nscd to query & cache information.
IF there are no errors then the wrong questions are asked against the LDAP database...
The query should at least be partial readable in the strace output (in reads & writes to the ldap socket.
should fix that..., or running nscd to query & cache information.
IF there are no errors then the wrong questions are asked against the LDAP database...
The query should at least be partial readable in the strace output (in reads & writes to the ldap socket.
ASKER
I see in strace where the LDAP server is being contacted but can't see where at what portion is failing. I must me asking the wrong question.
If you ask is there a profile with uid=X and answer with fields A,B,C
(and C is missing) the system calls will succeed, but after a bunch of writes (the LDAP query) a few reads should contain the answer (and data) in the buffer read back.
You can mimmick the query to th ldap database with ldap search...
ldapsearch -h host -D BindDN -w secret -b BaseDN '(&(uid=XXXXXX)(objectclas s=posixAcc ount))' uid uidnumber gidnumber homeDirectory loginShell
Should return all requested fields....
(and C is missing) the system calls will succeed, but after a bunch of writes (the LDAP query) a few reads should contain the answer (and data) in the buffer read back.
You can mimmick the query to th ldap database with ldap search...
ldapsearch -h host -D BindDN -w secret -b BaseDN '(&(uid=XXXXXX)(objectclas
Should return all requested fields....
Like:
#Some usinr info
dn: cn=XXXX,cn=users,.....
gidNumber: 100
homeDirectory: /home/XXXX
uidNumber: 200
loginShell: /bin/bash
uid: XXXX
#Some usinr info
dn: cn=XXXX,cn=users,.....
gidNumber: 100
homeDirectory: /home/XXXX
uidNumber: 200
loginShell: /bin/bash
uid: XXXX
ASKER
I just get dn, uid and some other organization specific values but no homeDir, shell, etc...
ASKER
My train of thought was if a user is valid or the authentication is a success then let the user login using uid.
Part of a users profile (for a process) is the home directory.
Another part is the shell that needs to be started...
also the uidNumber, gidNumber are needed as this is what realy identifies a user for unix/linux.... all ownership items are based on the numbers not the names... besides being the initial lookup key the uid is not used....
(ls does a reverse lookup though it gets a list of files with a uidNumber as owner and it then looksup al those numbers (using the getpwuid, which is the companion of getpwnam but uses the uidNumber as key)
Another part is the shell that needs to be started...
also the uidNumber, gidNumber are needed as this is what realy identifies a user for unix/linux.... all ownership items are based on the numbers not the names... besides being the initial lookup key the uid is not used....
(ls does a reverse lookup though it gets a list of files with a uidNumber as owner and it then looksup al those numbers (using the getpwuid, which is the companion of getpwnam but uses the uidNumber as key)
ASKER
Hmm, okay because I've joined machines to Active Directory before and been able to authenticate users that didn't have local account and when they logged in via say SSH and didn't have a local account it would just drop them in a default shell. Is that not possible with LDAP?
One way or the other the uidnumber, gidnumber & home directory ARE required, if shell is not passed /bin/sh is assumed.
A home directory IS provided by windows AD, all kind of bridges between AD & unix probably provide a way to map (possibly dynamically) uid & gid numbers.
At least the samba one does.
A home directory IS provided by windows AD, all kind of bridges between AD & unix probably provide a way to map (possibly dynamically) uid & gid numbers.
At least the samba one does.
ASKER
I'm still looking into the issue, not abandoned...
any progress? Any supplemental info/questions?
ASKER
@noci,
I haven't been able to work on this but I will assign points as I believe that the problem I have is due to not having the resources that I need from the server side.
I haven't been able to work on this but I will assign points as I believe that the problem I have is due to not having the resources that I need from the server side.
ASKER
In regards to the entires in the "libnss-ldap.conf", should the posixAccount be used or specify the dn such as "uid" in my case?
nss_base_passwd cn=users,dc=xxxx,dc=xx?sub
nss_base_shadow cn=users,dc=xxxx,dc=xx?sub
Where should failure messages appear as it still doesn't seem that ssh is even trying the LDAP server.