Date: Thu, 22 Jun 2017 15:28:09 -0400 From: Predrag Punosevac <punosevac72@gmail.com> To: freebsd-questions@freebsd.org Subject: LDAP Authentication and Authorization Message-ID: <20170622192809._8HM3EcPe%punosevac72@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Folks, This is my first post to this mailing list after ten years so please bear with me. I am trying to migrate dozen file servers and jail hosts currently running FreeNAS 9.2.1.9 or TrueOS (server edition of now dead PC-BSD) 10.3 to vanilla 11.0. I am having a real hard time with LDAP authentication part on file server. Before we go any further let me say that in our Lab use LDAP server from the base of OpenBSD 6.1. We use LDAP for both authorization and authentication. I have no intension to set Keberos server for authentication. I also realized this morning that I might not even need authentication part on FreeBSD file servers as regular users will not be loggin into the file server. They will be only accessing their home directories via NFS and I got authorization part working correctly. However it really bothers me that I can't log into the FreeBSD machine with LDAP account. Let me describe what I have done in the past and so far. FreeNAS 9.2.1.9 both authentication and authorization works like a charm more or less following "official documentation". https://www.freebsd.org/doc/en/articles/ldap-auth/ I tried to migrate FreeNAS server to PC-BSD 10.3 but I hit the wall. https://forums.freebsd.org/threads/52989/ The most disturbing part was post in which I learnt about nss-pam-ldapd "It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface. which "official documentation" never mentions. By the way the "official documentation" worked flawlessly for DragonFly BSD. https://marc.info/?l=dragonfly-users&m=141630435129956&w=2 While contemplating to migration to 11.xxx I was happy to learn that FreeBSD got ypldap and was possibly contemplating moving away from PAM insanity https://www.freebsd.org/cgi/man.cgi?query=ypldap&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html just to be totally discouraged by the following post https://marc.info/?l=freebsd-questions&m=149746603212079&w=2 by one of long time FreeBSD users. I don't get why import ypldap code in the base if FreeBSD is sticking to PAM craziness. https://marc.info/?l=freebsd-questions&m=149746504411822&w=2 Anyhow this is what works on this file server and what doesn't' OpenLDAP client works root@hera:/usr/local/etc/openldap # more ldap.conf BASE dc=autonlab,dc=org URI ldap://atlas.int.autonlab.org:389 SIZELIMIT 12 TIMELIMIT 15 DEREF never SSL START_TLS TLS_REQCERT allow TLS_CACERT /usr/local/etc/openldap/certs/ca.crt TLS_CACERTDIR /usr/local/etc/openldap/certs TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ldapsearch -ZZ -D "uid=predrag,ou=users,dc=autonlab,dc=org" -W # mravanba, group, autonlab.org dn: cn=mravanba,ou=group,dc=autonlab,dc=org cn: mravanba objectClass: top objectClass: posixGroup gidNumber: 1078 memberUid: mravanba description: User Private Group # search result search: 3 result: 4 Size limit exceeded # numResponses: 13 # numEntries: 12 Following the suggestion from FreeBSD forum threat and based on negative comments about ypldap daemon I installed net/nss-pam-ldapd I configured nslcd daemon root@hera:/usr/local/etc # more nslcd.conf uid nslcd gid nslcd uri ldap://192.168.6.7/ base dc=autonlab,dc=org rootpwmoddn cn=admin,dc=autonlab,dc=org base group ou=groups,dc=autonlab,dc=org base passwd ou=users,dc=autonlab,dc=org # CA certificates for server certificate verification tls_cacertdir /usr/local/etc/openldap/certs tls_cacertfile /usr/local/etc/openldap/certs/ca.crt and started it root@hera:/usr/local/etc # cat /etc/rc.conf | grep nslcd nslcd_enable="YES" root@hera:/usr/local/etc # service nslcd status nslcd is running with PID 1074. I modified nsswitch.conf file root@hera:~ # more /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj $ # # group: compat group: files ldap # group_compat: nis hosts: files dns netgroup: compat networks: files # passwd: compat passwd: files ldap # passwd_compat: nis shells: files # services: compat services: files ldap # services_compat: nis protocols: files rpc: files and restart nsswitch daemon I installed and linked users shells and mounted their home directories for testing purposes to make sure they can log. Finally this is my root@hera:~ # more /etc/pam.d/sshd # # $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn no_fake_prompts auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_ldap.so account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so try_first_pass password required pam_unix.so no_warn try_first_pass At this point getent passwd works like a charm and I can even root@hera:~ # su - predrag auton@hera$ to my home directory auton@hera$ pwd /zfsauton/home/predrag So at this point I feel like I have authorization part working correctly and according to this documentation https://arthurdejong.org/nss-pam-ldapd/setup I should not be far away from authentication part as well (which I might not even need on the file server). However when trying to ssh into the server with LDAP credentials it fails Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd"> uid=awd,ou=users,dc=autonlab,dc=org: Confidentiality required Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] <authc="awd"> uid=awd,ou=users,dc=autonlab,dc=org: "${shadowLastChange:--1}": password changed in the future Jun 22 15:19:28 hera sshd[2678]: error: PAM: authentication error for awd from 10.8.0.6 and I also see bunch of other errors in /var/log/messages Jun 22 02:55:00 hera nslcd[1074]: [65e7c4] <group/member="root"> ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [923f5c] <group/member="operator"> ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [7e2017] <group/member="root"> ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [533840] <group/member="root"> ldap_result() failed: No such object Jun 22 03:01:00 hera nslcd[1074]: [f1fa0b] <group/member="root"> ldap_result() failed: No such object Jun 22 03:01:00 hera nslcd[1074]: [6d3dc2] <group/member="root"> ldap_result() failed: No such object Jun 22 03:05:00 hera nslcd[1074]: [574d2f] <group/member="root"> ldap_result() failed: No such object Jun 22 03:10:00 hera nslcd[1074]: [8cc0da] <group/member="root"> ldap_result() failed: No such object Jun 22 03:11:00 hera nslcd[1074]: [c96ec1] <group/member="operator"> ldap_result() failed: No such object Jun 22 03:15:00 hera nslcd[1074]: [86bffd] <group/member="root"> ldap_result() failed: No such object Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root"> ldap_result() failed: Can't contact LDAP server Jun 22 03:20:00 hera nslcd[1074]: [a6e267] <group/member="root"> ldap_result() failed: No such object Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator"> ldap_result() failed: Can't contact LDAP server Jun 22 03:22:00 hera nslcd[1074]: [5a3141] <group/member="operator"> ldap_result() failed: No such object Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root"> ldap_result() failed: Can't contact LDAP server Jun 22 03:25:00 hera nslcd[1074]: [57f83c] <group/member="root"> ldap_result() failed: No such object Jun 22 03:30:00 hera nslcd[1074]: [6a7632] <group/member="root"> ldap_result() failed: No such object Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root"> ldap_search_ext() failed: Can't contact LDAP server: Operation not permitted Jun 22 03:31:00 hera nslcd[1074]: [7635f9] <group/member="root"> no available LDAP server found, sleeping 1 seconds Jun 22 03:31:01 hera nslcd[1074]: [7635f9] <group/member="root"> ldap_result() failed: No such object Jun 22 03:33:00 hera nslcd[1074]: [d1b46c] <group/member="operator"> ldap_result() failed: No such object Jun 22 03:35:00 hera nslcd[1074]: [9c649f] <group/member="root"> ldap_result() failed: No such object Jun 22 03:40:00 hera nslcd[1074]: [9285d2] <group/member="root"> ldap_result() failed: No such object Jun 22 03:44:00 hera nslcd[1074]: [901b6e] <group/member="operator"> ldap_result() failed: No such object Jun 22 03:45:00 hera nslcd[1074]: [f93502] <group/member="root"> ldap_result() failed: No such object Jun 22 03:50:00 hera nslcd[1074]: [075f1e] <group/member="root"> ldap_search_ext() failed: Can't contact LDAP server: Operation not permitted I am stumpped at this point. I think I stumbled late last night on some thread which claims that pam_ldap is needed for authentication part. However trying to install pam_ldap using pkg install also is deinstalling nss-pam-ldapd package. That could be due to compiling options for nss-pam-ldapd. Maybe the porter assumes I will set Kerberos for Authentication part. I appologize for the very long e-mail but I wanted to leave electronic trace for people who will looking for this. I appreciate any input. Best, Predrag
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170622192809._8HM3EcPe%punosevac72>