From owner-freebsd-questions@freebsd.org Thu Jun 22 19:28:14 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E50CD9310A for ; Thu, 22 Jun 2017 19:28:14 +0000 (UTC) (envelope-from punosevac72@gmail.com) Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E557A2A08 for ; Thu, 22 Jun 2017 19:28:13 +0000 (UTC) (envelope-from punosevac72@gmail.com) Received: by mail-it0-x22e.google.com with SMTP id m47so4105731iti.1 for ; Thu, 22 Jun 2017 12:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:user-agent; bh=rF2yyplaQzpY3wkC7Nf242M6E1tnLdQ/0u2XOXbjcF0=; b=G+xQ2O4ch4Bn+MEh/D/8y8qKuxRnxNUlNFXYtSGKziaPO794Wl2Jpk/o+hehj5Eb4p 8waJQ+mCs6o7UJRO34qK/BZnRgAOQ/FEGWAnaWuomDkDbaChkaLIP1hmS1skLKsUcNzu cYJW8UoeOLp8BEj0ulN4uV3mI8VZCG/pYyAmilk5582EoaX5MjT2Bfom+VPmQsGkRUhU Mm3hfiTH3jXZ9fGT7dWjXz1KoSGlKQ+pt0E2vjiJtURXKNWiWsceaMz5+CwaWd/76c9/ dJhZaNbH0Sq6BLHEqK03Zh9v2mRvdKp4DUomCO0cScxvQBl6XDwWOjqPQEFZzRAt0DeS 9WOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:user-agent; bh=rF2yyplaQzpY3wkC7Nf242M6E1tnLdQ/0u2XOXbjcF0=; b=rE4k4I2it5t1OPrw2x93BTeyq67tIv7/xpx9Nkd+7Qpq+uhaSCJnkcNwetHa+AqWQ7 wIjxhAS9YvmvCQT/h+IhtJEmlRpIXptizHqltVcntZXK5LyfcZrWEzaJOi5AFXsQB7Xh NDSJKPA4UFSX0BaGyCOBjqagLmMqFpU0kDsDYacm8CfT85iEqHhNF8c+KHAabHnZwKV4 l4jUuKK+u0B5UlLxQDft+ywhzlhx3pZQuUnpYhX1exHzftDmfOPrDM0KXOG6mrCXW3Iw bevEbYBtLthKIALTFH1cRya5zTb7doyBqQ4oISDKQOH/RxV5j9Fc4IAhwX4lbjcZZseN Ofyg== X-Gm-Message-State: AKS2vOxLGzyynxwVAHecpUY8vt0hD9J+2n6nxmTDTXwpWmJy4wTxnFNa r11XxxXL1pNOj85s X-Received: by 10.36.66.208 with SMTP id i199mr3369547itb.99.1498159692978; Thu, 22 Jun 2017 12:28:12 -0700 (PDT) Received: from oko.bagdala2.net (dynamic-acs-24-101-116-96.zoominternet.net. [24.101.116.96]) by smtp.gmail.com with ESMTPSA id v75sm1450401ita.20.2017.06.22.12.28.12 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 22 Jun 2017 12:28:12 -0700 (PDT) Date: Thu, 22 Jun 2017 15:28:09 -0400 From: Predrag Punosevac To: freebsd-questions@freebsd.org Subject: LDAP Authentication and Authorization Message-ID: <20170622192809._8HM3EcPe%punosevac72@gmail.com> User-Agent: s-nail v14.8.12 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jun 2017 19:28:14 -0000 Hi Folks, This is my first post to this mailing list after ten years so please bear with me. I am trying to migrate dozen file servers and jail hosts currently running FreeNAS 9.2.1.9 or TrueOS (server edition of now dead PC-BSD) 10.3 to vanilla 11.0. I am having a real hard time with LDAP authentication part on file server. Before we go any further let me say that in our Lab use LDAP server from the base of OpenBSD 6.1. We use LDAP for both authorization and authentication. I have no intension to set Keberos server for authentication. I also realized this morning that I might not even need authentication part on FreeBSD file servers as regular users will not be loggin into the file server. They will be only accessing their home directories via NFS and I got authorization part working correctly. However it really bothers me that I can't log into the FreeBSD machine with LDAP account. Let me describe what I have done in the past and so far. FreeNAS 9.2.1.9 both authentication and authorization works like a charm more or less following "official documentation". https://www.freebsd.org/doc/en/articles/ldap-auth/ I tried to migrate FreeNAS server to PC-BSD 10.3 but I hit the wall. https://forums.freebsd.org/threads/52989/ The most disturbing part was post in which I learnt about nss-pam-ldapd "It's part of the net/nss-pam-ldapd / net/nss-pam-ldapd-sasl port. Don't use the old security/pam_ldap and net/nss_ldap modules. They've been abandoned years ago by their upstream and suffer from several severe design errors. nslcd breaks the LDAP PAM and NSS modules into two parts. One part is a daemon handling all the heavy work and the other are small shims querying the daemon over a unix domain socket to implement the NSS and PAM interface. which "official documentation" never mentions. By the way the "official documentation" worked flawlessly for DragonFly BSD. https://marc.info/?l=dragonfly-users&m=141630435129956&w=2 While contemplating to migration to 11.xxx I was happy to learn that FreeBSD got ypldap and was possibly contemplating moving away from PAM insanity https://www.freebsd.org/cgi/man.cgi?query=ypldap&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html just to be totally discouraged by the following post https://marc.info/?l=freebsd-questions&m=149746603212079&w=2 by one of long time FreeBSD users. I don't get why import ypldap code in the base if FreeBSD is sticking to PAM craziness. https://marc.info/?l=freebsd-questions&m=149746504411822&w=2 Anyhow this is what works on this file server and what doesn't' OpenLDAP client works root@hera:/usr/local/etc/openldap # more ldap.conf BASE dc=autonlab,dc=org URI ldap://atlas.int.autonlab.org:389 SIZELIMIT 12 TIMELIMIT 15 DEREF never SSL START_TLS TLS_REQCERT allow TLS_CACERT /usr/local/etc/openldap/certs/ca.crt TLS_CACERTDIR /usr/local/etc/openldap/certs TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3 ldapsearch -ZZ -D "uid=predrag,ou=users,dc=autonlab,dc=org" -W # mravanba, group, autonlab.org dn: cn=mravanba,ou=group,dc=autonlab,dc=org cn: mravanba objectClass: top objectClass: posixGroup gidNumber: 1078 memberUid: mravanba description: User Private Group # search result search: 3 result: 4 Size limit exceeded # numResponses: 13 # numEntries: 12 Following the suggestion from FreeBSD forum threat and based on negative comments about ypldap daemon I installed net/nss-pam-ldapd I configured nslcd daemon root@hera:/usr/local/etc # more nslcd.conf uid nslcd gid nslcd uri ldap://192.168.6.7/ base dc=autonlab,dc=org rootpwmoddn cn=admin,dc=autonlab,dc=org base group ou=groups,dc=autonlab,dc=org base passwd ou=users,dc=autonlab,dc=org # CA certificates for server certificate verification tls_cacertdir /usr/local/etc/openldap/certs tls_cacertfile /usr/local/etc/openldap/certs/ca.crt and started it root@hera:/usr/local/etc # cat /etc/rc.conf | grep nslcd nslcd_enable="YES" root@hera:/usr/local/etc # service nslcd status nslcd is running with PID 1074. I modified nsswitch.conf file root@hera:~ # more /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/11.0/etc/nsswitch.conf 301711 2016-06-09 01:28:44Z markj $ # # group: compat group: files ldap # group_compat: nis hosts: files dns netgroup: compat networks: files # passwd: compat passwd: files ldap # passwd_compat: nis shells: files # services: compat services: files ldap # services_compat: nis protocols: files rpc: files and restart nsswitch daemon I installed and linked users shells and mounted their home directories for testing purposes to make sure they can log. Finally this is my root@hera:~ # more /etc/pam.d/sshd # # $FreeBSD: releng/11.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn no_fake_prompts auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_ldap.so account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so try_first_pass password required pam_unix.so no_warn try_first_pass At this point getent passwd works like a charm and I can even root@hera:~ # su - predrag auton@hera$ to my home directory auton@hera$ pwd /zfsauton/home/predrag So at this point I feel like I have authorization part working correctly and according to this documentation https://arthurdejong.org/nss-pam-ldapd/setup I should not be far away from authentication part as well (which I might not even need on the file server). However when trying to ssh into the server with LDAP credentials it fails Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] uid=awd,ou=users,dc=autonlab,dc=org: Confidentiality required Jun 22 15:19:28 hera nslcd[2675]: [6f59b2] uid=awd,ou=users,dc=autonlab,dc=org: "${shadowLastChange:--1}": password changed in the future Jun 22 15:19:28 hera sshd[2678]: error: PAM: authentication error for awd from 10.8.0.6 and I also see bunch of other errors in /var/log/messages Jun 22 02:55:00 hera nslcd[1074]: [65e7c4] ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [923f5c] ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [7e2017] ldap_result() failed: No such object Jun 22 03:00:00 hera nslcd[1074]: [533840] ldap_result() failed: No such object Jun 22 03:01:00 hera nslcd[1074]: [f1fa0b] ldap_result() failed: No such object Jun 22 03:01:00 hera nslcd[1074]: [6d3dc2] ldap_result() failed: No such object Jun 22 03:05:00 hera nslcd[1074]: [574d2f] ldap_result() failed: No such object Jun 22 03:10:00 hera nslcd[1074]: [8cc0da] ldap_result() failed: No such object Jun 22 03:11:00 hera nslcd[1074]: [c96ec1] ldap_result() failed: No such object Jun 22 03:15:00 hera nslcd[1074]: [86bffd] ldap_result() failed: No such object Jun 22 03:20:00 hera nslcd[1074]: [a6e267] ldap_result() failed: Can't contact LDAP server Jun 22 03:20:00 hera nslcd[1074]: [a6e267] ldap_result() failed: No such object Jun 22 03:22:00 hera nslcd[1074]: [5a3141] ldap_result() failed: Can't contact LDAP server Jun 22 03:22:00 hera nslcd[1074]: [5a3141] ldap_result() failed: No such object Jun 22 03:25:00 hera nslcd[1074]: [57f83c] ldap_result() failed: Can't contact LDAP server Jun 22 03:25:00 hera nslcd[1074]: [57f83c] ldap_result() failed: No such object Jun 22 03:30:00 hera nslcd[1074]: [6a7632] ldap_result() failed: No such object Jun 22 03:31:00 hera nslcd[1074]: [7635f9] ldap_search_ext() failed: Can't contact LDAP server: Operation not permitted Jun 22 03:31:00 hera nslcd[1074]: [7635f9] no available LDAP server found, sleeping 1 seconds Jun 22 03:31:01 hera nslcd[1074]: [7635f9] ldap_result() failed: No such object Jun 22 03:33:00 hera nslcd[1074]: [d1b46c] ldap_result() failed: No such object Jun 22 03:35:00 hera nslcd[1074]: [9c649f] ldap_result() failed: No such object Jun 22 03:40:00 hera nslcd[1074]: [9285d2] ldap_result() failed: No such object Jun 22 03:44:00 hera nslcd[1074]: [901b6e] ldap_result() failed: No such object Jun 22 03:45:00 hera nslcd[1074]: [f93502] ldap_result() failed: No such object Jun 22 03:50:00 hera nslcd[1074]: [075f1e] ldap_search_ext() failed: Can't contact LDAP server: Operation not permitted I am stumpped at this point. I think I stumbled late last night on some thread which claims that pam_ldap is needed for authentication part. However trying to install pam_ldap using pkg install also is deinstalling nss-pam-ldapd package. That could be due to compiling options for nss-pam-ldapd. Maybe the porter assumes I will set Kerberos for Authentication part. I appologize for the very long e-mail but I wanted to leave electronic trace for people who will looking for this. I appreciate any input. Best, Predrag