LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-29-2012, 06:09 PM   #1
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Rep: Reputation: Disabled
Question openldap client authentication without TLS certificate.


Greetings all,

I've been reading a lot of how to's and googling and I have to say I'm left a little confused
I was wondering if someone can give me a hand here as Im a little lost and unable to authenticate a user with the ldap server.

Situation
======

The ldap server is in another department and have no idea who set it up.
However, I have been given connection/authentication strings.
There is no certificate, however, it is a simple authentication with ssl

I am currently running CentOS release 5.7 (Final) kernel 2.6.18-274.17.1.el5

As this is a client machine I did not install openldap-server.

I installed the following:

yum install -y nss_ldap.x86_64 openldap-clients.x86_64 openldap.x86_64 openldap24-libs.x86_64

verified:

rpm -qa | grep ldap
php-ldap-5.1.6-27.el5_7.4
openldap-devel-2.3.43-25.el5_8.1
openldap-2.3.43-25.el5_8.1
openldap24-libs-2.4.23-5.el5
nss_ldap-253-49.el5
openldap-clients-2.3.43-25.el5_8.1
python-ldap-2.2.0-2.1

in the /etc/ldap.conf && /etc/openldap/ldap.conf I added the following:

URI ldaps://server1.domain.com/
BASE CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
tls_checkpeer no
binddn CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com
bindpw <supplied password>
nss_base_passwd OU=users,DC=server1,DC=domain,DC=com?one?|(allowattrib=CN)
nss_base_group OU=ident,OU=Apps,DC=server1,DC=domain,DC=com
ssl yes
pam_password exop

/etc/nsswitch file

passwd: files ldap
shadow: files ldap
group: files ldap

when i run getent passwd user

it takes about 1 sec then returns with nothing.

nothing in /var/log/messages nor in /var/log/ldap.log

when running id user
id: user: No such user

when i do a ldapsearch

ldapsearch -x -b 'DC=server1,DC=domain,DC=com' -D "CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com" '(CN=user)' -H ldaps://server1.domain.com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3


<...>


# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1


I am able to get some results...

when I attempt to log into the server I get the following results in /var/log/secure:

Jul 30 07:58:27 test sshd[30256]: Invalid user user from XXX.XXX.XXX.XX
Jul 30 07:58:27 test sshd[30259]: input_userauth_request: invalid user user
Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): check pass; user unknown
Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com
Jul 30 07:58:36 test sshd[30256]: pam_succeed_if(sshd:auth): error retrieving information about user User
Jul 30 07:58:38 test sshd[30256]: Failed password for invalid user User from XXX.XXX.XXX.XXX port 43006 ssh2

It doesn't look like it is using ldap to authenticate

Is there something I am missing or have overlooked?

Thanks in advance

Last edited by shiden; 07-29-2012 at 10:00 PM.
 
Old 07-29-2012, 08:29 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Did you add the CA cert that signed the cert for the ldap server? .. maybe something like:

Code:
wget -q http://<some_server>/orgcacert.pem -O /etc/openldap/cacerts/orgcacert.pem
cd /etc/openldap/cacerts
for file in *.pem
do
    ln -s $file $(openssl x509 -hash -noout -in $file).0
done
..and maybe change to:
Code:
TLS_REQCERT demand
.. also did you use authconfig, or do this by hand?
 
Old 07-29-2012, 09:08 PM   #3
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hello

thanks for the reply, Unfortunately not using TLS and therefore no certificates. Plain old simple authentication (have to laugh, as it is anything but simple )

Hence why i have added:

Quote:
TLS_REQCERT never
tls_checkpeer no
I have used authconfig-tui:

System-auth has the correct values:

Quote:
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

## None of the users reside on the client machine. They need to authenticate via ldaps to login.
However, I am not seeing any entries for pam_ldap in /var/log/secure and i do not get any values returned with getent passwd user


Im currently at a loss as to what actions I need to perform, and am pulling hair out..

Thanks in advance.

Maybe if there is a fantastic, great, awesome how to guide out there that I haven't looked at/read please feel free to post it.

Last edited by shiden; 07-29-2012 at 09:10 PM. Reason: how to guides please :/
 
Old 07-29-2012, 09:17 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
So if you're connecting over ssl you don't think you need certificates? ..
 
Old 07-29-2012, 09:27 PM   #5
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
well that is what I asked as well...
I was told I do not need a certificate to contact/authenticate against the server.

I also tried using 'apache directory studio' on a windows pc with the same credentials as above and it worked.

As I do not have access to the ldap server, I can only go on what information I am being told.

Apologies for the uniquness of this situation and my lack of expertese in ldap. :S

<edit>

just want to add, that I have tried it with ldap://server.domain.com
and I get the same problem.

Last edited by shiden; 07-29-2012 at 09:31 PM.
 
Old 07-29-2012, 09:51 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
When you changed to ldap://... did you also change 'ssl no' ?
 
Old 07-29-2012, 10:03 PM   #7
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hello,

Yes i did.

it seems like it is not using pam_ldap at all.
i have also disabled selinux, and turned off the firewall.

Quote:
/var/log/secure

Invalid user user from XXX.XXX.XXX.XX
input_userauth_request: invalid user user
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com
pam_succeed_if(sshd:auth): error retrieving information about user User
at what stage should it use pam_ldap?

ta
 
Old 07-29-2012, 10:09 PM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Just noticed you were attempting to log in via ssh, do you have 'UsePAM yes' in /etc/ssh/sshd_config ?

Also, any idea what type of ldap server you're connecting to ?

Last edited by kbp; 07-29-2012 at 10:11 PM.
 
Old 07-29-2012, 10:19 PM   #9
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
Hello,

Yes I also checked the /etc/sshd/sshd_config for "UsePAM yes"
I also restarted sshd

No I do not know what type of ldap server I am connecting to. (apparently that is restricted) all i know is that it uses a round robin system and I can connect to any one of them at different times.

Here is my current config (just for clarification) [changed via authconfig-tui]

Quote:
/etc/openldap/ldap.conf
URI ldap://server1.domain.com
BASE cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
TLS_CRLCHECK none
BINDDN cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
BINDPW <password supplied>
Quote:
/etc/ldap.conf
ldap_version 3
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
binddn cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
bindpw <supplied password>
nss_base_passwd OU=users,dc=server1,dc=domain,dc=com
nss_base_group OU=ident,OU=Apps,dc=server1,dc=domain,dc=com
nss_map_objectclass posixAccount User
nss_map_attribute uniqueMember member
nss_map_attribute uid cn
ssl no
uri ldap://server1.domain.com
base cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
bind_policy soft
pam_lookup_policy yes
Quote:
/etc/nsswitch
passwd: ldap files
shadow: ldap files
group: ldap files
Quote:
authconfig --test

caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://server1.domain.com"
LDAP base DN = "cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is md5
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

LDAP+TLS is disabled
LDAP server = "ldap://server1.domain.com"
LDAP base DN = "cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com"
pam_pkcs11 is disabled

use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is enabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled
my ldapsearch still returns successful
 
Old 07-30-2012, 12:00 AM   #10
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Not sure if you need it but you could try adding:

Code:
nss_base_shadow OU=users,dc=server1,dc=domain,dc=com
nss_map_objectclass shadowAccount user
 
Old 07-30-2012, 06:38 PM   #11
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
thank you for the feedback.

I have tried your suggesstion and there has been no improvement

IF you think of anything else or a different way to set it up or a good how to guide let me know.

Cheers
 
Old 07-31-2012, 07:30 AM   #12
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
PM'ed you...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenLDAP Client 2.4.23: TLS negotiation failure allinduke Linux - Desktop 9 02-21-2012 01:08 PM
[SOLVED] Client SSL Certificate Authentication Vitus13 Linux - Security 15 10-16-2011 10:56 AM
TLS/SSl client certificate creation for LDAP. sheelavantar Linux - Server 2 09-20-2011 09:35 PM
WEBDAVS with client certificate authentication in GNOME cmayo67041 Linux - Networking 0 12-06-2008 03:11 PM
Apache ssl and client certificate authentication leno681 Linux - Server 0 09-10-2008 08:11 AM


All times are GMT -5. The time now is 04:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration