openldap client authentication without TLS certificate.

shiden · 07-29-2012, 06:09 PM

Greetings all,

I've been reading a lot of how to's and googling and I have to say I'm left a little confused

I was wondering if someone can give me a hand here as Im a little lost and unable to authenticate a user with the ldap server.

Situation
======

The ldap server is in another department and have no idea who set it up.
However, I have been given connection/authentication strings.
There is no certificate, however, it is a simple authentication with ssl

I am currently running CentOS release 5.7 (Final) kernel 2.6.18-274.17.1.el5

As this is a client machine I did not install openldap-server.

I installed the following:

yum install -y nss_ldap.x86_64 openldap-clients.x86_64 openldap.x86_64 openldap24-libs.x86_64

verified:

rpm -qa | grep ldap
php-ldap-5.1.6-27.el5_7.4
openldap-devel-2.3.43-25.el5_8.1
openldap-2.3.43-25.el5_8.1
openldap24-libs-2.4.23-5.el5
nss_ldap-253-49.el5
openldap-clients-2.3.43-25.el5_8.1
python-ldap-2.2.0-2.1

in the /etc/ldap.conf && /etc/openldap/ldap.conf I added the following:

URI ldaps://server1.domain.com/
BASE CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
tls_checkpeer no
binddn CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com
bindpw <supplied password>
nss_base_passwd OU=users,DC=server1,DC=domain,DC=com?one?|(allowattrib=CN)
nss_base_group OU=ident,OU=Apps,DC=server1,DC=domain,DC=com
ssl yes
pam_password exop

/etc/nsswitch file

passwd: files ldap
shadow: files ldap
group: files ldap

when i run getent passwd user

it takes about 1 sec then returns with nothing.

nothing in /var/log/messages nor in /var/log/ldap.log

when running id user
id: user: No such user

when i do a ldapsearch

ldapsearch -x -b 'DC=server1,DC=domain,DC=com' -D "CN=blahname,OU=AccountName,DC=server1,DC=domain,DC=com" '(CN=user)' -H ldaps://server1.domain.com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3

<...>

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

I am able to get some results...

when I attempt to log into the server I get the following results in /var/log/secure:

Jul 30 07:58:27 test sshd[30256]: Invalid user user from XXX.XXX.XXX.XX
Jul 30 07:58:27 test sshd[30259]: input_userauth_request: invalid user user
Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): check pass; user unknown
Jul 30 07:58:36 test sshd[30256]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com
Jul 30 07:58:36 test sshd[30256]: pam_succeed_if(sshd:auth): error retrieving information about user User
Jul 30 07:58:38 test sshd[30256]: Failed password for invalid user User from XXX.XXX.XXX.XXX port 43006 ssh2

It doesn't look like it is using ldap to authenticate

Is there something I am missing or have overlooked?

Thanks in advance

kbp · 07-29-2012, 08:29 PM

Did you add the CA cert that signed the cert for the ldap server? .. maybe something like:

Code:

wget -q http://<some_server>/orgcacert.pem -O /etc/openldap/cacerts/orgcacert.pem
cd /etc/openldap/cacerts
for file in *.pem
do
    ln -s $file $(openssl x509 -hash -noout -in $file).0
done

..and maybe change to:

Code:

TLS_REQCERT demand

.. also did you use authconfig, or do this by hand?

shiden · 07-29-2012, 09:08 PM

Hello

thanks for the reply, Unfortunately not using TLS and therefore no certificates. Plain old simple authentication (have to laugh, as it is anything but simple

)

Hence why i have added:

Quote:

TLS_REQCERT never
tls_checkpeer no

I have used authconfig-tui:

System-auth has the correct values:

Quote:

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

## None of the users reside on the client machine. They need to authenticate via ldaps to login.
However, I am not seeing any entries for pam_ldap in /var/log/secure and i do not get any values returned with getent passwd user

Im currently at a loss as to what actions I need to perform, and am pulling hair out..

Thanks in advance.

Maybe if there is a fantastic, great, awesome how to guide out there that I haven't looked at/read please feel free to post it.

kbp · 07-29-2012, 09:17 PM

So if you're connecting over ssl you don't think you need certificates? ..

shiden · 07-29-2012, 09:27 PM

well that is what I asked as well...
I was told I do not need a certificate to contact/authenticate against the server.

I also tried using 'apache directory studio' on a windows pc with the same credentials as above and it worked.

As I do not have access to the ldap server, I can only go on what information I am being told.

Apologies for the uniquness of this situation and my lack of expertese in ldap. :S

<edit>

just want to add, that I have tried it with ldap://server.domain.com
and I get the same problem.

kbp · 07-29-2012, 09:51 PM

When you changed to ldap://... did you also change 'ssl no' ?

shiden · 07-29-2012, 10:03 PM

Hello,

Yes i did.

it seems like it is not using pam_ldap at all.
i have also disabled selinux, and turned off the firewall.

Quote:

/var/log/secure

Invalid user user from XXX.XXX.XXX.XX
input_userauth_request: invalid user user
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=machine.domain.com
pam_succeed_if(sshd:auth): error retrieving information about user User

at what stage should it use pam_ldap?

ta

kbp · 07-29-2012, 10:09 PM

Just noticed you were attempting to log in via ssh, do you have 'UsePAM yes' in /etc/ssh/sshd_config ?

Also, any idea what type of ldap server you're connecting to ?

shiden · 07-29-2012, 10:19 PM

Hello,

Yes I also checked the /etc/sshd/sshd_config for "UsePAM yes"
I also restarted sshd

No I do not know what type of ldap server I am connecting to. (apparently that is restricted)

all i know is that it uses a round robin system and I can connect to any one of them at different times.

Here is my current config (just for clarification) [changed via authconfig-tui]

Quote:

/etc/openldap/ldap.conf
URI ldap://server1.domain.com
BASE cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
TLS_CRLCHECK none
BINDDN cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
BINDPW <password supplied>

Quote:

/etc/ldap.conf
ldap_version 3
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
binddn cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
bindpw <supplied password>
nss_base_passwd OU=users,dc=server1,dc=domain,dc=com
nss_base_group OU=ident,OU=Apps,dc=server1,dc=domain,dc=com
nss_map_objectclass posixAccount User
nss_map_attribute uniqueMember member
nss_map_attribute uid cn
ssl no
uri ldap://server1.domain.com
base cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com
bind_policy soft
pam_lookup_policy yes

Quote:

/etc/nsswitch
passwd: ldap files
shadow: ldap files
group: ldap files

Quote:

authconfig --test

caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://server1.domain.com"
LDAP base DN = "cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is md5
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

LDAP+TLS is disabled
LDAP server = "ldap://server1.domain.com"
LDAP base DN = "cn=blahname,ou=AccountName,dc=server1,dc=domain,dc=com"
pam_pkcs11 is disabled

use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is disabled by default
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is enabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled

my ldapsearch still returns successful

kbp · 07-30-2012, 12:00 AM

Not sure if you need it but you could try adding:

Code:

nss_base_shadow OU=users,dc=server1,dc=domain,dc=com
nss_map_objectclass shadowAccount user

shiden · 07-30-2012, 06:38 PM

thank you for the feedback.

I have tried your suggesstion and there has been no improvement

IF you think of anything else or a different way to set it up or a good how to guide let me know.

Cheers

kbp · 07-31-2012, 07:30 AM

PM'ed you...