[SOLVED] OpenLDAP+Samba for authentication of both linux and windows clients

Blue_Ice · 02-10-2010, 07:06 AM

Well, I still have an issue...
I am not able to use the accounts to login to my linux clients. It is a bit weird as I can log on using ssh and su works fine as well. I guess I am still forgetting something, just don't know what. Pam, nsswitch and ldap.conf have to be well configured. Although if I google the net, then I sometimes see that there are still things that need to enable. What I also see is that in these articles they do a migration of the current users, I had hoped that I wouldn't need to do that.

Arjan

Blue_Ice · 02-11-2010, 06:37 PM

Hmm, things didn't go well today. Ssh,su and those things won't work anymore.

The slapd process writes the following errors to the log file:

Code:

Feb 12 01:15:20 server slapd[13851]: conn=148 fd=15 ACCEPT from IP=10.200.56.230:40681 (IP=0.0.0.0:389)
Feb 12 01:15:20 server slapd[13851]: conn=148 op=0 STARTTLS 
Feb 12 01:15:20 server slapd[13851]: conn=148 op=0 RESULT oid= err=0 text=  
Feb 12 01:15:20 server slapd[13851]: conn=148 fd=15 closed (TLS negotiation failure)

On the client, I get the following error in the log file:

Code:

Feb 12 01:16:48 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Feb 12 01:16:52 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Feb 12 01:17:00 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Feb 12 01:17:16 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Feb 12 01:17:48 fedoraVM pam: gdm-password[4210]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Feb 12 01:18:52 fedoraVM pam: gdm-password[4210]: nss_ldap: could not search LDAP server - Server is unavailable

To make it easier to find the problem, I have put the config files in this post as well.

First slapd.conf:

Code:

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/samba.schema

modulepath	/usr/lib64/openldap
moduleload	dynlist.la

TLSCipherSuite TLSv1+RSA:!NULL
TLSCACertificateFile /etc/openldap/cacerts/ldap_cacert.pem
TLSCertificateFile /etc/openldap/cacerts/ldap.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key

overlay dynlist
dynlist-attrset groupOfNames labeledURI member

database	bdb
suffix		"dc=hulshoff,dc=home"
rootdn		"cn=Manager,dc=hulshoff,dc=home"
rootpw		{SSHA}<encrypted_password>

directory	/var/lib/ldap

index objectClass                       		eq,pres
index ou,cn,mail,surname,givenname      		eq,pres,sub
index uidNumber,gidNumber,loginShell    		eq,pres
index uid,memberUid                     		eq,pres,sub
index nisMapName,nisMapEntry            		eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName	eq

At finally ldap.conf:

Code:

timelimit 120
timelimit 30
bind_timelimit 120
idle_timelimit 3600

rootbinddn cn=Manager,dc=hulshoff,dc=home

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl start_tls
TLS_CACERT /etc/openldap/cacerts/ldap_cacert.pem
pam_password crypt
URI ldap://ldap.hulshoff.home/
BASE dc=hulshoff,dc=home
bind_policy=soft
host ldap.hulshoff.home

Any idea what I am doing wrong here? Am I messing up something on the certificates?

Arjan.

acid_kewpie · 02-12-2010, 05:27 AM

well you need to do an ldapsearch to simulate what the code is doing on the backend. It's a TLS failure, so something like the trusted certs are wrong or some such. run this:

ldapsearch -x -ZZ -d3

and it should fail in a similar way, but give you some info probably about certificate chains, or cn's or something in that vein.

Worth asking if you have actually set up SSL certs for any of this. do you want to use TLS or SSL here at all?

Blue_Ice · 02-12-2010, 06:22 AM

Quote:

Originally Posted by acid_kewpie

well you need to do an ldapsearch to simulate what the code is doing on the backend. It's a TLS failure, so something like the trusted certs are wrong or some such. run this:

ldapsearch -x -ZZ -d3

and it should fail in a similar way, but give you some info probably about certificate chains, or cn's or something in that vein.

Worth asking if you have actually set up SSL certs for any of this. do you want to use TLS or SSL here at all?

I ran this command without the debug option before posting my previous message and it returned the expected data. So on your suggestion, I used the debug option and it returned the following message (in fact the final part of the huge list of information):

Code:

TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
tls_read: want=5 error=Bad file descriptor

The log file on the server has the following information after executing ldapsearch:

Code:

Feb 12 13:10:38 server slapd[8025]: conn=0 fd=15 ACCEPT from IP=10.200.56.232:58106 (IP=0.0.0.0:389)
Feb 12 13:10:38 server slapd[8025]: conn=0 op=0 STARTTLS
Feb 12 13:10:38 server slapd[8025]: conn=0 op=0 RESULT oid= err=0 text=
Feb 12 13:10:38 server slapd[8025]: conn=0 fd=15 TLS established tls_ssf=256 ssf=256
Feb 12 13:10:38 server slapd[8025]: conn=0 op=1 BIND dn="" method=128
Feb 12 13:10:38 server slapd[8025]: conn=0 op=1 RESULT tag=97 err=0 text=
Feb 12 13:10:38 server slapd[8025]: conn=0 op=2 SRCH base="dc=hulshoff,dc=home" scope=2 deref=0 filter="(uid=ws001$)"
Feb 12 13:10:38 server slapd[8025]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 12 13:10:39 server slapd[8025]: conn=0 op=3 UNBIND
Feb 12 13:10:39 server slapd[8025]: conn=0 fd=15 closed

To answer your final question... Yes, I need the TLS. Not using it will expose cleartext passwords on the network. Obviously that is not the desired way of working.
The certificates are specially created for this. So they are present.

acid_kewpie · 02-12-2010, 06:39 AM

OK, so TLS IS getting established there, so I would look to compare /etc/ldap.conf, which is used for the actual login processes, and /etc/openldap/ldap.conf which is used by ldapsearch. I always forget they are seperate configs... A different syntax is used, but you should be able to match up the logical equivalents between them.

Blue_Ice · 02-12-2010, 06:56 AM

Wouldn't it be easier to create a symlink instead of keeping 2 different files?

acid_kewpie · 02-12-2010, 07:08 AM

no, as i said they are different.

Blue_Ice · 02-12-2010, 09:15 AM

Thanks acid_kewpie!

That was my mistake... I made a symlink as I thought it would be easier to maintain. I didn't know that it made that much difference.

acid_kewpie · 02-12-2010, 10:32 AM

Certainly confusing, but the tools / libraries which use them are really very seperate, pam libraries vs openldap tools, so it's kinda understandable why they have different config files.

abakhiet · 07-02-2010, 04:17 AM

hola,
i have some video for this issue
i think it is awesome, here is the link:

Quote:

http://www.youtube.com/watch?v=LdLwuIrW1jw