LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-23-2016, 07:15 AM   #1
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Rep: Reputation: 15
Help with LDAP Setup


Hi... I'm new to LDAP configuration and I'm trying to get my Debian 8 server to bind with an Apply Open Directory. This is how far I've gotten:

1. Apple Open Directory is up and running on a OS X Server.
2. I have been able to bind a OS X client (iMac) to Open Directory and verified Open Directory is working.
3. On my Debian server, I've installed:
libpam-ldap, libnss-ldap, nscd
4. I also configured ldap/pam following the wizard (after the install).
5. I've added a user in Open Directory (from the OS X Server console).
6. I'm able to login to the iMac using that new user.

7. When I try to login (ssh) to my Debian server using that same user, I get "Access Denied" and this shows up in log:
pam_ldap: error trying to bind as user "uid=hs3,cn=users,dc=elcapitan,dc=local" (Insufficient access)

8. I can search Open Directory from my Debian server:
ldapsearch -x -H ldap://192.168.40.231 -b "dc=elcapitan,dc=local"

And that user shows this entry:
# hs3, users, elcapitan.local
dn: uid=hs3,cn=users,dc=elcapitan,dc=local
sn: hs3
uid: hs3
uidNumber: 1001
gidNumber: 20
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: extensibleObject
objectClass: apple-user
apple-user-homequota: 0
cn: hs3
authAuthority: ;ApplePasswordServer;XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,1024 65
537 1043973113969844210822866462421905255494718861439100342247659253785500261
67178295328777019465874243321328143673136356147129340235629013957497365701071
24181617209159032857300415975051894080397037127496721865418164251623512544082
22071883079756098531923404451060145847949045633054098244579507043473383470261
82151 root@elcapitan.local:192.168.40.231
authAuthority: ;Kerberosv5;;hs3@ELCAPITAN.LOCAL;ELCAPITAN.LOCAL;
altSecurityIdentities: Kerberos:hs3@ELCAPITAN.LOCAL
apple-generateduid: B936F654-19C9-4D38-9F2B-DA9D5B4BE7C2
homeDirectory: /Users/hs3
loginShell: /bin/bash

Please help. I've been banging my head on this for the last 2 days.
 
Old 06-23-2016, 07:29 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by desbyleo View Post
Hi... I'm new to LDAP configuration and I'm trying to get my Debian 8 server to bind with an Apply Open Directory. This is how far I've gotten:

1. Apple Open Directory is up and running on a OS X Server.
2. I have been able to bind a OS X client (iMac) to Open Directory and verified Open Directory is working.
3. On my Debian server, I've installed: libpam-ldap, libnss-ldap, nscd
4. I also configured ldap/pam following the wizard (after the install).
5. I've added a user in Open Directory (from the OS X Server console).
6. I'm able to login to the iMac using that new user.
7. When I try to login (ssh) to my Debian server using that same user, I get "Access Denied" and this shows up in log:
pam_ldap: error trying to bind as user "uid=hs3,cn=users,dc=elcapitan,dc=local" (Insufficient access)
8. I can search Open Directory from my Debian server:
ldapsearch -x -H ldap://192.168.40.231 -b "dc=elcapitan,dc=local"
Sounds like you're close...but there are other file modifications that need to happen too.
Modify /etc/nsswitch.conf, add "ldap" to the passwd and group lines
Code:
passwd:         files ldap
group:          files ldap
Modify /etc/pam.d/sshd
Code:
auth    sufficient      pam_ldap.so
account sufficient      pam_permit.so
Modify /etc/pam.d/common-session, to let home directories to be created when someone first logs in.
Code:
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022
Modify /etc/pam.d/common-password
Code:
password optional pam_echo.so <some message about how to change your password/where/who to call/whatever>
password required pam_deny.so
Modify /etc/ssh/sshd_config. Comment out "PasswordAuthentication no" (or set it to "yes").
Code:
#PasswordAuthentication no
Restart sshd.

All this assumes that you've already modified your ldap.conf file. Something like:
Code:
uri ldap://some.server.com/
base dc=somename,dc=com
ldap_version 3

# Better to encrypt passwords going across. Comment out to transmit in the clear
ssl start_tls

# The server will not cooperate unless we authenticate as follows:
binddn uid=admin,ou=someadminusergroup,dc=something,dc=com
bindpw YOURPASSWORD
 
Old 06-23-2016, 08:10 AM   #3
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Original Poster
Rep: Reputation: 15
You are the man! Thank You!!!!!!!!!!!!!!!! That did it!
 
Old 06-23-2016, 08:55 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by desbyleo View Post
You are the man! Thank You!!!!!!!!!!!!!!!! That did it!
Very welcome!
 
Old 06-23-2016, 01:02 PM   #5
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Original Poster
Rep: Reputation: 15
Followup Question..

Can you help understand why this command works (and makes a connection to Open Directory) and returns the request:

Code:
$ ldapsearch -x
But this...

Code:
$ ldapsearch -x -H ldap://192.168.40.231 -D "cn=diradmin,dc=elcapitan,dc=local" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Except of my /etc/ldap/ldap.conf:
Code:
BASE    dc=elcapitan,dc=local
URI     ldap://192.168.40.231
ldap_version 3
 
Old 06-23-2016, 01:08 PM   #6
desbyleo
Member
 
Registered: Feb 2002
Location: Erie, CO
Distribution: Red Hat 7.1
Posts: 94

Original Poster
Rep: Reputation: 15
Nevermind... found my error. It should be:
Code:
ldapsearch -x -H ldap://192.168.40.231 -D "uid=diradmin,cn=users,dc=elcapitan,dc=local" -W
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[LDAP] -Setup Ldap for user authentication based on time trung1490 Linux - Server 1 02-23-2016 12:53 PM
LDAP Setup newphoenixlinux Linux - Newbie 1 03-04-2013 12:42 AM
how to setup open ldap server and solaris 10 as ldap client maheshlad Linux - Software 1 10-10-2009 12:55 AM
ldap setup for authentication rexthecoollion SUSE / openSUSE 2 04-14-2006 02:18 AM
getting ldap setup aaronj Linux - Software 2 08-31-2004 08:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration