Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-16-2004, 12:58 PM
|
#1
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Rep:
|
LDAP Authentication w/ Local User Information
I've been hammering at this for a while now, and I'm pretty much stumped. I would like to do LDAP Authentication to a Novell eDirectory Tree, but keep the uid, gid local to the system.
When a user logs in, it will check the passwd file and see what the users local info is (ie shell, uid, gid) but when it tries to authenticate against the md5 hash, it will instead look at the Novell eDirectory tree and do ldap authentication instead of the local shadow file.
Is this possible ? How ? I've tried everything I could think of.
My reason of doing this is I do not want to extend my tree at this point in time to contain posix account values, I would only like to authenticate against it.
Thank you,
Adrian.
|
|
|
07-16-2004, 02:35 PM
|
#2
|
Member
Registered: Jul 2004
Posts: 85
Rep:
|
Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by Adrian W
I've been hammering at this for a while now, and I'm pretty much stumped. I would like to do LDAP Authentication to a Novell eDirectory Tree, but keep the uid, gid local to the system.
When a user logs in, it will check the passwd file and see what the users local info is (ie shell, uid, gid) but when it tries to authenticate against the md5 hash, it will instead look at the Novell eDirectory tree and do ldap authentication instead of the local shadow file.
Is this possible ? How ? I've tried everything I could think of.
My reason of doing this is I do not want to extend my tree at this point in time to contain posix account values, I would only like to authenticate against it.
Thank you,
Adrian.
|
Yes, this is possible. I've done it both against eDir and AD. However, I should tell you that generally eDir already has the posix attributes.
Just off the cuff, but modify your nsswitch.conf file to reference the files (passwd/group), and configure PAM to point to LDAP. Then * out the password in the /etc/passwd file
|
|
|
07-19-2004, 05:33 PM
|
#3
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Original Poster
Rep:
|
Re: Re: LDAP Authentication w/ Local User Information
==
Last edited by Adrian W; 07-19-2004 at 05:38 PM.
|
|
|
07-19-2004, 05:35 PM
|
#4
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Original Poster
Rep:
|
Re: Re: LDAP Authentication w/ Local User Information
==
Last edited by Adrian W; 07-19-2004 at 05:38 PM.
|
|
|
07-19-2004, 05:37 PM
|
#5
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Original Poster
Rep:
|
Re: Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by LanRx
Yes, this is possible. I've done it both against eDir and AD. However, I should tell you that generally eDir already has the posix attributes.
Just off the cuff, but modify your nsswitch.conf file to reference the files (passwd/group), and configure PAM to point to LDAP. Then * out the password in the /etc/passwd file
|
I tried this out and no luck. I setup an LDAP Search via linux just to make sure my ldap tree is working fine, and it is. These are the steps I did:
1) Edit ldap.conf
- Added the Server Name & Base Search
2) Edit nsswitch.conf
- Added passwd, shadow and group "files ldap" (to simplify the configuration)
3) Edit pam.d/login & sshd
- Added auth, account & password "sufficient pam_ldap.so debug"
4) Edit shadow
- And star'ed out the md5 password hash
5) Restarted nscd daemon
I try to ssh into the system and it fails, check the secure and message logs and just says it fails... If I could see more verbose logs maybe I could figure out what I'm doing wrong... but I would suspect "debug" in the pam configuration should enable this. Any idea ?
|
|
|
07-19-2004, 06:39 PM
|
#6
|
Member
Registered: Jul 2004
Posts: 85
Rep:
|
Re: Re: Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by Adrian W
I tried this out and no luck. I setup an LDAP Search via linux just to make sure my ldap tree is working fine, and it is. These are the steps I did:
1) Edit ldap.conf
- Added the Server Name & Base Search
2) Edit nsswitch.conf
- Added passwd, shadow and group "files ldap" (to simplify the configuration)
3) Edit pam.d/login & sshd
- Added auth, account & password "sufficient pam_ldap.so debug"
4) Edit shadow
- And star'ed out the md5 password hash
5) Restarted nscd daemon
I try to ssh into the system and it fails, check the secure and message logs and just says it fails... If I could see more verbose logs maybe I could figure out what I'm doing wrong... but I would suspect "debug" in the pam configuration should enable this. Any idea ?
|
Kill your sshd, and restart interactively, using ./sshd -ddd
You will be able to launch one attempted ssh back into the box, and it will give you a full debug.
What does it say in the secure log? In my experience, that has been one of the most thorough logs. You'll need to see if it's telling you that it can't find the account information, or if it's a password problem. Your ldap.conf file may have the password hash misconfigured.
You are doing this against eDir, right?
Here is a document that I was using in the beginning, as well. It references Solaris and eDirectory.
http://developer.novell.com/research...02/a020602.htm
|
|
|
07-19-2004, 07:13 PM
|
#7
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Original Poster
Rep:
|
Re: Re: Re: Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by LanRx
Kill your sshd, and restart interactively, using ./sshd -ddd
You will be able to launch one attempted ssh back into the box, and it will give you a full debug.
What does it say in the secure log? In my experience, that has been one of the most thorough logs. You'll need to see if it's telling you that it can't find the account information, or if it's a password problem. Your ldap.conf file may have the password hash misconfigured.
You are doing this against eDir, right?
Here is a document that I was using in the beginning, as well. It references Solaris and eDirectory.
http://developer.novell.com/research...02/a020602.htm
|
Yes, I'm doing this against eDir. I'm running version 8.6.2, which I don't think has the PosixAccount support. Or at least I don't think I have the directory extended with these attributes, I've searched high and low for the ldap attributes. I could add them, but I'm in a regulated industry, which means lots of documentation before I can do any changes. So for now I just want to authenticate against it, and make sure this works.
The secure log says :
Jul 19 15:40:33 nagios sshd[4633]: Failed password for awildang from 192.168.8.106 port 33518 ssh2
... Hrmm, can you elaborate on what you mean by the password hash may be misconfigured ?
I will take a look at the documentation you sent me as well. Thank you!
|
|
|
07-19-2004, 07:17 PM
|
#8
|
Member
Registered: Jul 2004
Posts: 85
Rep:
|
Re: Re: Re: Re: Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by Adrian W
Yes, I'm doing this against eDir. I'm running version 8.6.2, which I don't think has the PosixAccount support. Or at least I don't think I have the directory extended with these attributes, I've searched high and low for the ldap attributes. I could add them, but I'm in a regulated industry, which means lots of documentation before I can do any changes. So for now I just want to authenticate against it, and make sure this works.
The secure log says :
Jul 19 15:40:33 nagios sshd[4633]: Failed password for awildang from 192.168.8.106 port 33518 ssh2
... Hrmm, can you elaborate on what you mean by the password hash may be misconfigured ?
I will take a look at the documentation you sent me as well. Thank you!
|
You can configure the password hash in your ldap.conf file. it says something like pam_password md5, or something of the sort.
|
|
|
07-20-2004, 03:54 PM
|
#9
|
LQ Newbie
Registered: Jul 2004
Posts: 6
Original Poster
Rep:
|
Re: Re: Re: Re: Re: Re: LDAP Authentication w/ Local User Information
Quote:
Originally posted by LanRx
You can configure the password hash in your ldap.conf file. it says something like pam_password md5, or something of the sort.
|
Can you maybe explain something, because your last message got me thinking.
How does PAM authenticate against the LDAP source ? Does it actually look for a PosixAccount attribute that stores thehashed password, or does it just authenicate against the tree. The difference in the two is that one requires a tree extended with the proper attributes, the second only tries to authenticate using an existing ldap username and password.
I was under the assumption, or I thought I understood, that I can just authenticate against an existing ldap tree (ie. username and password), as this would provide me with syncronized accounts and passwords. This is what we do with some other systems here at the company, we just authenticate to our eDir tree via LDAP, if we can that means we are a valid user.
I noticed in the Novell link you sent me that it requires a "shadowAccount" for the PosixAccount, is this refering to that hashed password attribute I'm thinking of above?
I'm stilling hammering away at this... I feel I'm close... but it's so frustrating at times, when something so simple should work...
|
|
|
07-20-2004, 05:16 PM
|
#10
|
Member
Registered: Jul 2004
Posts: 85
Rep:
|
In my opinion...they are both the same thing. The difference between the two, being that you have a client with the Novell infrastructure, which permits you to simplify your thinking to just "the tree". and the context, because the client is going to look for your object, and then the password within the specified attribute.
However, to answer your question, you will configure the attribute that holds all of your posix attributes, from userPassword to uidNumber,gidNumber,homeDirectory, etc, etc.
|
|
|
07-23-2004, 01:24 PM
|
#11
|
LQ Newbie
Registered: Jul 2004
Location: Twin Cities, MN
Posts: 5
Rep:
|
Use stunnel,ldap and pam and you'll get secure auth without posix stuff
I have succeeded in doing exactly what you want to do with RedHat 7 through 9. It has broken with Fedora 2 and I'd sure like to figure out why. My technique:
(requires nss_ldap installed)
1. Startup stunnel with a config file like this (ldap doesn't do TLS to eDir very well):
client = yes
[389]
accept = 389
connect = edirserver:636
2. Configure /etc/ldap.conf ilke this (use your base context -- not mine):
host localhost
base ou=EH,ou=STP,o=MDH
scope one
timelimit 5
bind_timelimit 5
idle_timelimit 5
pam_login_attribute cn
pam_password nds
nss_map_attribute uniqueMember member
nss_map_attribute userPassword authPassword
3. Add this line to /etc/pam.d/system-auth after auth ... pam_unix.so
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
4. If you'd like to be able to change the password from the linux side, also put this line in there:
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
That's it. It just works for me like that. NOT with Fedora Core 2 though!!! If you have Fedora Core 2 and you get it to work, please let me know!
Ger
|
|
|
08-10-2004, 01:12 AM
|
#12
|
LQ Newbie
Registered: Apr 2003
Location: hk
Posts: 2
Rep:
|
I think I have a similar problem.
I want to use a linux to be a ftp and file server, but I want to use accounts in the netware 5 server. How can I do it?
|
|
|
08-10-2004, 09:41 AM
|
#13
|
LQ Newbie
Registered: Jul 2004
Location: Twin Cities, MN
Posts: 5
Rep:
|
LDAP to NDS (eDir) Auth on Fedora Core 2 working
Well, chancyrus, you should be able to follow the path I laid out above if you just want authentication. Or the others in this thread - if you've got the POSIX attributes in your tree and you want other authorization stuff controlled by nds.
You could also have pam create the account for you on the fly and just use NDS for auth as I do.
If some part of that is confusing please let me know in e-mail.
I think I found my problem with Fedora too. Took me way too long -- it seems that I got burned on the scope which needed to be "scope sub"
|
|
|
08-17-2004, 11:09 AM
|
#14
|
LQ Newbie
Registered: Apr 2003
Location: hk
Posts: 2
Rep:
|
Thank you for your reply, gsker.
I have try the setting you mentioned , however I can't make it work.
Should I make some changes on the setting of the novell 5.1 server?
|
|
|
All times are GMT -5. The time now is 07:05 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|