System Authentication using centralized OpenLDAP(local login and ssh login)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
System Authentication using centralized OpenLDAP(local login and ssh login)
Hi Good Morning,
Hope all are doing good
I have installed CentOS 6.x x86_64 server edition in a VM
I have couple of questions on authentication process, below iam expecting a solution
1) If I login(root, non root users) to machine directly then auth should validate against pam_ldap (not using pam_unix)
2) If I login(root, non root users) from remote via SSH then auth should validate against pam_ldap(not using pam_unix)
Error
i could see always authenticates using pam_unix from /var/log/secure
1) I have installed OpenLDAP server, clients on the same machine
2) I have installed nss-pam-ldapd on the same machine
3) I have only root user account created during OS installation.
I have migrated users
migrate_password.pl /etc/password > people.ldif
I have installed CentOS 6.x x86_64 server edition in a VM
I have couple of questions on authentication process, below iam expecting a solution
1) If I login(root, non root users) to machine directly then auth should validate against pam_ldap (not using pam_unix)
2) If I login(root, non root users) from remote via SSH then auth should validate against pam_ldap(not using pam_unix)
Error
i could see always authenticates using pam_unix from /var/log/secure
1) I have installed OpenLDAP server, clients on the same machine
2) I have installed nss-pam-ldapd on the same machine
3) I have only root user account created during OS installation.
I have migrated users
migrate_password.pl /etc/password > people.ldif
I am describing here too many things sorry for that, please try to help if possible
Iam using openldap-servers-2.4.40-7.el6_7.x86_64
NOTE: LDAP Server and Client on the same machine
1) Now i am able to authenticate from client machine - fixed
2) I have added self signed certificate via ca-bundle.crt (/etc/pki/tls.. path) - TLS not worked - time being disabled
/etc/nslcd.conf,/etc/pam_ldap.conf
#ssl start_tls
tls_reqcert never
#tls_cacertfile /etc/openldap/cacerts/ca-bundle.crt
#tls_cacertdir /etc/openldap/cacerts
pam_password exop # only /etc/pam_ldap.conf
--->
THIS WILL TALK LATER, however now succeeds login auth on 636 port without TLS
3) Login successful
4) Here couple of issues raised during the password change.
2 users are in the ldap [root, ldapuser]
[root@ldap-server migrationtools]# cd /etc/openldap/slapd.d/cn\=config
[root@ldap-server migrationtools]# vi olcDatabase\=\{2\}bdb.ldif
olcPasswordHash: {SSHA}
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=narayana,dc=local" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=narayana,dc=local" write by self write by * read
#olcTLSCipherSuite: HIGH
olcTLSCACertificateFile: /etc/openldap/cacerts/ca-bundle.crt
olcTLSCertificateFile: /root/ssl/certs/ldap-server.narayana.local.pem
olcTLSCertificateKeyFile: /root/ssl/certs/ldap-server.narayana.local_key.pem
Is there any process how to map user(s) to host and host to ldap authentication server?
I mean below example shows
To avoid users clash on the server
Problem -1: root user logins as local unix shadow password, not ldap password - how do i fix & i don't need local(shadow) password change mechanism?
[narayana2@laptop Documents]$ ssh root@192.168.1.35
root@192.168.1.35's password: welcome2 [LDAP Password]
Permission denied, please try again.
root@192.168.1.35's password: welcome1 [Unix Shadow password]
Last login: Sun May 15 13:44:48 2016 from laptop.narayana.local
tail -f /var/log/messages
May 15 13:51:28 ldap-server sshd[2078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=laptop.narayana.local user=root
May 15 13:51:29 ldap-server sshd[2078]: Failed password for root from 192.168.1.15 port 49998 ssh2
May 15 13:52:03 ldap-server sshd[2078]: Accepted password for root from 192.168.1.15 port 49998 ssh2
May 15 13:52:03 ldap-server sshd[2078]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@ldap-server ~]# passwd
Changing password for user root.
Enter login(LDAP) password: welcome2
New password: welcome1
Re-enter new password: welcome1
LDAP password information update failed: Insufficient access
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too similar to the old one
tail -f /var/log/messages
May 15 13:41:12 ldap-server passwd: pam_ldap: ldap_extended_operation_s Insufficient access
May 15 13:41:40 ldap-server passwd: pam_ldap: ldap_extended_operation_s Insufficient access
May 15 13:42:38 ldap-server passwd: pam_ldap: ldap_extended_operation_s Insufficient access
tail -f /var/log/secure
May 15 13:57:55 ldap-server passwd: pam_cracklib(passwd:chauthtok): pam_get_authtok_verify returned error: Failed preliminary check by password service
May 15 13:58:06 ldap-server passwd: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=0 euid=0 tty=pts/3 ruser= rhost= user=root
May 15 13:58:06 ldap-server passwd: pam_unix(passwd:chauthtok): user password changed by another process
May 15 13:59:10 ldap-server passwd: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=0 euid=0 tty=pts/3 ruser= rhost= user=root
May 15 13:59:10 ldap-server passwd: pam_unix(passwd:chauthtok): user password changed by another process
Problem -2 : ldapuser - password change - how do i fix ?
[narayana2@laptop Documents]$ ssh ldapuser@192.168.1.35
ldapuser@192.168.1.35's password:
Last login: Sun May 15 12:04:30 2016 from laptop.narayana.local
[ldapuser@ldap-server ~]$ passwd
Changing password for user ldapuser.
Enter login(LDAP) password: welcome1
New password: welcome2
Re-enter new password: welcome2
LDAP password information update failed: Insufficient access
BAD PASSWORD: it is based on a dictionary word
New password: ...
...
tail -f /var/log/secure
May 15 14:02:02 ldap-server sshd[2107]: Accepted password for ldapuser from 192.168.1.15 port 50004 ssh2
May 15 14:02:02 ldap-server sshd[2107]: pam_unix(sshd:session): session opened for user ldapuser by (uid=0)
Mapping user to a particular host... in a LDAP enviroment? It beats the purpose of LDAP then. Further, root user on local machine is different than root account in the LDAP realm. These two are not the same accounts.
My impression is you installed something you don't really understand...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.