openldap client authentication without TLS certificate.
Greetings all,
I've been reading a lot of how to's and googling and I have to say I'm left a little confused :) I was wondering if someone can give me a hand here as Im a little lost and unable to authenticate a user with the ldap server. Situation ====== The ldap server is in another department and have no idea who set it up. However, I have been given connection/authentication strings. There is no certificate, however, it is a simple authentication with ssl I am currently running CentOS release 5.7 (Final) kernel 2.6.18-274.17.1.el5 As this is a client machine I did not install openldap-server. I installed the following: yum install -y nss_ldap.x86_64 openldap-clients.x86_64 openldap.x86_64 openldap24-libs.x86_64 verified: rpm -qa | grep ldap php-ldap-5.1.6-27.el5_7.4 openldap-devel-2.3.43-25.el5_8.1 openldap-2.3.43-25.el5_8.1 openldap24-libs-2.4.23-5.el5 nss_ldap-253-49.el5 openldap-clients-2.3.43-25.el5_8.1 python-ldap-2.2.0-2.1 in the /etc/ldap.conf && /etc/openldap/ldap.conf I added the following: URI ldaps://server1.domain.com/ BASE CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT never tls_checkpeer no binddn CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com bindpw <supplied password> nss_base_passwd OU=users,DC=server1,DC=domain,DC=com?one?|(allowattrib=CN) nss_base_group OU=ident,OU=Apps,DC=server1,DC=domain,DC=com ssl yes pam_password exop /etc/nsswitch file passwd: files ldap shadow: files ldap group: files ldap when i run getent passwd user it takes about 1 sec then returns with nothing. nothing in /var/log/messages nor in /var/log/ldap.log when running id user id: user: No such user when i do a ldapsearch ldapsearch -x -b 'DC=server1,DC=domain,DC=com' -D "CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com" '(CN=user)' -H ldaps://server1.domain.com -W Enter LDAP Password: # extended LDIF # # LDAPv3 <...> # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 1 # numReferences: 1 I am able to get some results... when I attempt to log into the server I get the following results in /var/log/secure: Jul 30 07:58:27 test sshd[30256]: Invalid user user from XXX.XXX.XXX.XX Jul 30 07:58:27 test sshd[30259]: input_userauth_request: invalid user user Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): check pass; user unknown Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com Jul 30 07:58:36 test sshd[30256]: pam_succeed_if(sshd:auth): error retrieving information about user User Jul 30 07:58:38 test sshd[30256]: Failed password for invalid user User from XXX.XXX.XXX.XXX port 43006 ssh2 It doesn't look like it is using ldap to authenticate Is there something I am missing or have overlooked? Thanks in advance |
Did you add the CA cert that signed the cert for the ldap server? .. maybe something like:
Code:
wget -q http://<some_server>/orgcacert.pem -O /etc/openldap/cacerts/orgcacert.pem Code:
TLS_REQCERT demand |
Hello
thanks for the reply, Unfortunately not using TLS and therefore no certificates. Plain old simple authentication (have to laugh, as it is anything but simple :) ) Hence why i have added: Quote:
System-auth has the correct values: Quote:
## None of the users reside on the client machine. They need to authenticate via ldaps to login. However, I am not seeing any entries for pam_ldap in /var/log/secure and i do not get any values returned with getent passwd user Im currently at a loss as to what actions I need to perform, and am pulling hair out.. :D Thanks in advance. Maybe if there is a fantastic, great, awesome how to guide out there that I haven't looked at/read please feel free to post it. |
So if you're connecting over ssl you don't think you need certificates? ..
|
well that is what I asked as well...
I was told I do not need a certificate to contact/authenticate against the server. I also tried using 'apache directory studio' on a windows pc with the same credentials as above and it worked. As I do not have access to the ldap server, I can only go on what information I am being told. Apologies for the uniquness of this situation and my lack of expertese in ldap. :S <edit> just want to add, that I have tried it with ldap://server.domain.com and I get the same problem. |
When you changed to ldap://... did you also change 'ssl no' ?
|
Hello,
Yes i did. :( it seems like it is not using pam_ldap at all. i have also disabled selinux, and turned off the firewall. Quote:
ta |
Just noticed you were attempting to log in via ssh, do you have 'UsePAM yes' in /etc/ssh/sshd_config ?
Also, any idea what type of ldap server you're connecting to ? |
Hello,
Yes I also checked the /etc/sshd/sshd_config for "UsePAM yes" I also restarted sshd :) No I do not know what type of ldap server I am connecting to. (apparently that is restricted) :) all i know is that it uses a round robin system and I can connect to any one of them at different times. Here is my current config (just for clarification) [changed via authconfig-tui] Quote:
Quote:
Quote:
Quote:
|
Not sure if you need it but you could try adding:
Code:
nss_base_shadow OU=users,dc=server1,dc=domain,dc=com |
thank you for the feedback.
I have tried your suggesstion and there has been no improvement :( IF you think of anything else or a different way to set it up or a good how to guide let me know. Cheers |
PM'ed you...
|
All times are GMT -5. The time now is 01:52 AM. |