LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-16-2004, 12:58 PM   #1
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Rep: Reputation: 0
LDAP Authentication w/ Local User Information


I've been hammering at this for a while now, and I'm pretty much stumped. I would like to do LDAP Authentication to a Novell eDirectory Tree, but keep the uid, gid local to the system.

When a user logs in, it will check the passwd file and see what the users local info is (ie shell, uid, gid) but when it tries to authenticate against the md5 hash, it will instead look at the Novell eDirectory tree and do ldap authentication instead of the local shadow file.

Is this possible ? How ? I've tried everything I could think of.

My reason of doing this is I do not want to extend my tree at this point in time to contain posix account values, I would only like to authenticate against it.

Thank you,
Adrian.
 
Old 07-16-2004, 02:35 PM   #2
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by Adrian W
I've been hammering at this for a while now, and I'm pretty much stumped. I would like to do LDAP Authentication to a Novell eDirectory Tree, but keep the uid, gid local to the system.

When a user logs in, it will check the passwd file and see what the users local info is (ie shell, uid, gid) but when it tries to authenticate against the md5 hash, it will instead look at the Novell eDirectory tree and do ldap authentication instead of the local shadow file.

Is this possible ? How ? I've tried everything I could think of.

My reason of doing this is I do not want to extend my tree at this point in time to contain posix account values, I would only like to authenticate against it.

Thank you,
Adrian.
Yes, this is possible. I've done it both against eDir and AD. However, I should tell you that generally eDir already has the posix attributes.

Just off the cuff, but modify your nsswitch.conf file to reference the files (passwd/group), and configure PAM to point to LDAP. Then * out the password in the /etc/passwd file
 
Old 07-19-2004, 05:33 PM   #3
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: LDAP Authentication w/ Local User Information

==

Last edited by Adrian W; 07-19-2004 at 05:38 PM.
 
Old 07-19-2004, 05:35 PM   #4
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: LDAP Authentication w/ Local User Information

==

Last edited by Adrian W; 07-19-2004 at 05:38 PM.
 
Old 07-19-2004, 05:37 PM   #5
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by LanRx
Yes, this is possible. I've done it both against eDir and AD. However, I should tell you that generally eDir already has the posix attributes.

Just off the cuff, but modify your nsswitch.conf file to reference the files (passwd/group), and configure PAM to point to LDAP. Then * out the password in the /etc/passwd file
I tried this out and no luck. I setup an LDAP Search via linux just to make sure my ldap tree is working fine, and it is. These are the steps I did:

1) Edit ldap.conf
- Added the Server Name & Base Search
2) Edit nsswitch.conf
- Added passwd, shadow and group "files ldap" (to simplify the configuration)
3) Edit pam.d/login & sshd
- Added auth, account & password "sufficient pam_ldap.so debug"
4) Edit shadow
- And star'ed out the md5 password hash
5) Restarted nscd daemon

I try to ssh into the system and it fails, check the secure and message logs and just says it fails... If I could see more verbose logs maybe I could figure out what I'm doing wrong... but I would suspect "debug" in the pam configuration should enable this. Any idea ?
 
Old 07-19-2004, 06:39 PM   #6
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
Re: Re: Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by Adrian W
I tried this out and no luck. I setup an LDAP Search via linux just to make sure my ldap tree is working fine, and it is. These are the steps I did:

1) Edit ldap.conf
- Added the Server Name & Base Search
2) Edit nsswitch.conf
- Added passwd, shadow and group "files ldap" (to simplify the configuration)
3) Edit pam.d/login & sshd
- Added auth, account & password "sufficient pam_ldap.so debug"
4) Edit shadow
- And star'ed out the md5 password hash
5) Restarted nscd daemon

I try to ssh into the system and it fails, check the secure and message logs and just says it fails... If I could see more verbose logs maybe I could figure out what I'm doing wrong... but I would suspect "debug" in the pam configuration should enable this. Any idea ?
Kill your sshd, and restart interactively, using ./sshd -ddd

You will be able to launch one attempted ssh back into the box, and it will give you a full debug.

What does it say in the secure log? In my experience, that has been one of the most thorough logs. You'll need to see if it's telling you that it can't find the account information, or if it's a password problem. Your ldap.conf file may have the password hash misconfigured.

You are doing this against eDir, right?

Here is a document that I was using in the beginning, as well. It references Solaris and eDirectory.

http://developer.novell.com/research...02/a020602.htm
 
Old 07-19-2004, 07:13 PM   #7
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: Re: Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by LanRx
Kill your sshd, and restart interactively, using ./sshd -ddd

You will be able to launch one attempted ssh back into the box, and it will give you a full debug.

What does it say in the secure log? In my experience, that has been one of the most thorough logs. You'll need to see if it's telling you that it can't find the account information, or if it's a password problem. Your ldap.conf file may have the password hash misconfigured.

You are doing this against eDir, right?

Here is a document that I was using in the beginning, as well. It references Solaris and eDirectory.

http://developer.novell.com/research...02/a020602.htm
Yes, I'm doing this against eDir. I'm running version 8.6.2, which I don't think has the PosixAccount support. Or at least I don't think I have the directory extended with these attributes, I've searched high and low for the ldap attributes. I could add them, but I'm in a regulated industry, which means lots of documentation before I can do any changes. So for now I just want to authenticate against it, and make sure this works.

The secure log says :
Jul 19 15:40:33 nagios sshd[4633]: Failed password for awildang from 192.168.8.106 port 33518 ssh2

... Hrmm, can you elaborate on what you mean by the password hash may be misconfigured ?

I will take a look at the documentation you sent me as well. Thank you!
 
Old 07-19-2004, 07:17 PM   #8
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
Re: Re: Re: Re: Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by Adrian W
Yes, I'm doing this against eDir. I'm running version 8.6.2, which I don't think has the PosixAccount support. Or at least I don't think I have the directory extended with these attributes, I've searched high and low for the ldap attributes. I could add them, but I'm in a regulated industry, which means lots of documentation before I can do any changes. So for now I just want to authenticate against it, and make sure this works.

The secure log says :
Jul 19 15:40:33 nagios sshd[4633]: Failed password for awildang from 192.168.8.106 port 33518 ssh2

... Hrmm, can you elaborate on what you mean by the password hash may be misconfigured ?

I will take a look at the documentation you sent me as well. Thank you!
You can configure the password hash in your ldap.conf file. it says something like pam_password md5, or something of the sort.
 
Old 07-20-2004, 03:54 PM   #9
Adrian W
LQ Newbie
 
Registered: Jul 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Re: Re: Re: Re: Re: Re: LDAP Authentication w/ Local User Information

Quote:
Originally posted by LanRx
You can configure the password hash in your ldap.conf file. it says something like pam_password md5, or something of the sort.
Can you maybe explain something, because your last message got me thinking.

How does PAM authenticate against the LDAP source ? Does it actually look for a PosixAccount attribute that stores thehashed password, or does it just authenicate against the tree. The difference in the two is that one requires a tree extended with the proper attributes, the second only tries to authenticate using an existing ldap username and password.

I was under the assumption, or I thought I understood, that I can just authenticate against an existing ldap tree (ie. username and password), as this would provide me with syncronized accounts and passwords. This is what we do with some other systems here at the company, we just authenticate to our eDir tree via LDAP, if we can that means we are a valid user.

I noticed in the Novell link you sent me that it requires a "shadowAccount" for the PosixAccount, is this refering to that hashed password attribute I'm thinking of above?

I'm stilling hammering away at this... I feel I'm close... but it's so frustrating at times, when something so simple should work...
 
Old 07-20-2004, 05:16 PM   #10
LanRx
Member
 
Registered: Jul 2004
Posts: 85

Rep: Reputation: 15
In my opinion...they are both the same thing. The difference between the two, being that you have a client with the Novell infrastructure, which permits you to simplify your thinking to just "the tree". and the context, because the client is going to look for your object, and then the password within the specified attribute.

However, to answer your question, you will configure the attribute that holds all of your posix attributes, from userPassword to uidNumber,gidNumber,homeDirectory, etc, etc.
 
Old 07-23-2004, 01:24 PM   #11
gsker
LQ Newbie
 
Registered: Jul 2004
Location: Twin Cities, MN
Posts: 5

Rep: Reputation: 0
Lightbulb Use stunnel,ldap and pam and you'll get secure auth without posix stuff

I have succeeded in doing exactly what you want to do with RedHat 7 through 9. It has broken with Fedora 2 and I'd sure like to figure out why. My technique:
(requires nss_ldap installed)
1. Startup stunnel with a config file like this (ldap doesn't do TLS to eDir very well):
client = yes
[389]
accept = 389
connect = edirserver:636
2. Configure /etc/ldap.conf ilke this (use your base context -- not mine):
host localhost
base ou=EH,ou=STP,o=MDH
scope one
timelimit 5
bind_timelimit 5
idle_timelimit 5
pam_login_attribute cn
pam_password nds
nss_map_attribute uniqueMember member
nss_map_attribute userPassword authPassword

3. Add this line to /etc/pam.d/system-auth after auth ... pam_unix.so
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass

4. If you'd like to be able to change the password from the linux side, also put this line in there:
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok

That's it. It just works for me like that. NOT with Fedora Core 2 though!!! If you have Fedora Core 2 and you get it to work, please let me know!

Ger
 
Old 08-10-2004, 01:12 AM   #12
chancyrus
LQ Newbie
 
Registered: Apr 2003
Location: hk
Posts: 2

Rep: Reputation: 0
I think I have a similar problem.

I want to use a linux to be a ftp and file server, but I want to use accounts in the netware 5 server. How can I do it?
 
Old 08-10-2004, 09:41 AM   #13
gsker
LQ Newbie
 
Registered: Jul 2004
Location: Twin Cities, MN
Posts: 5

Rep: Reputation: 0
LDAP to NDS (eDir) Auth on Fedora Core 2 working

Well, chancyrus, you should be able to follow the path I laid out above if you just want authentication. Or the others in this thread - if you've got the POSIX attributes in your tree and you want other authorization stuff controlled by nds.
You could also have pam create the account for you on the fly and just use NDS for auth as I do.

If some part of that is confusing please let me know in e-mail.

I think I found my problem with Fedora too. Took me way too long -- it seems that I got burned on the scope which needed to be "scope sub"
 
Old 08-17-2004, 11:09 AM   #14
chancyrus
LQ Newbie
 
Registered: Apr 2003
Location: hk
Posts: 2

Rep: Reputation: 0
Thank you for your reply, gsker.

I have try the setting you mentioned , however I can't make it work.
Should I make some changes on the setting of the novell 5.1 server?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
script for getting user information from LDAP paul_mat Linux - Networking 1 11-03-2005 08:30 PM
Samba PDC , LDAP user authentication , what about Machines ? Jingle Linux - Enterprise 0 07-22-2005 09:00 AM
LDAP-CVS-User Authentication ralagar_raja Linux - Enterprise 0 01-04-2005 05:42 AM
user authentication with ldap on slackware? micval Slackware 4 01-16-2004 01:19 AM
Quick Q on LDAP and user authentication tarballed Linux - General 3 03-29-2003 03:08 AM


All times are GMT -5. The time now is 09:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration