Date: Tue, 02 Oct 2007 13:29:13 +0000 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: "Brian A. Seklecki" <lavalamp@spiritual-machines.org> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto? Message-ID: <470247A9.1020401@zedat.fu-berlin.de> In-Reply-To: <20070929195839.B99598@arbitor.digitalfreaks.org> References: <46FCDD68.6030901@zedat.fu-berlin.de> <1190989759.2994.26.camel@new-host> <46FD483D.8000906@zedat.fu-berlin.de> <20070929195839.B99598@arbitor.digitalfreaks.org>
next in thread | previous in thread | raw e-mail | index | archive | help
All right, here's next step. As I mentioned, I linked both local/etc/ldap.conf and local/etc/nss_pam.conf symbolically to /local/etc/openldap/ldap.conf (OpenLDAP's ldap.conf). This file only contains a restricted common subset of options understood by OpenLDAP's clients, nss_ldap and pam_ldap. Obviously, this did not work (again: I already installed successfully OpenLDAP, nss_ldap and pam_ldap!). So I turned to have separate files for each library and facility. The only thing I changed was the default dc=xxx tags and the uri tag to access either local socket, local secure port or local normal port. On all three facilities OpenLDAP was listening, as sockstat(1) reported positively. Well, I also changed /etc/nsswitch.conf to look first for 'giles', the nfor 'ldap' for group and passwords. I also have ACLs defined in slpad.conf. The problem at the moment is, when nss_ldap running, login as root on console takes several minutes (like a NIS server has gone away and I thing nss_ldap does not reach its LDAP server so it is of the same quality like a missing NIS). I tried to avoid this having 'files' prior to 'ldap' in nsswitch.conf, but that does not work. Logins from outside is impossible, I see a lot of error messages on console nss_ldap can't contact it's OpenLDAP server. When logged in on console, I can do a simple slapcat(1) and get a lot of definitions, so tis shows a running and resping OpenLDAP server. I feel seriously desperate because I don't know how to trace the communication paths between the pam/nss clients and the OpenLDAP server. At the beginning of setting up the environment, I followed strictly suggestions and examples shown in the OpenLDAP tutorials from OpenLDAP itself - but with no success! Other tutorials around the web targetting mostly outdated environments (FreeBSD 5.1, older OpenLDAP versions or strange Linux setups). In my case, I expect some errors from the OpenLDAP server if a client tries to access the server itself without having permissions granted accessing, reading or even writing to the directory, but all I get is a failure in connecting to the OpenLDAP server as it would not exists. This is strange! maybe it is also a problem with the TLS/SLL facility, but this should also be reported either by the client or the OpenLDAP server itself. But nothing is shown so far reflecting a problem. Without any SSL/TLS certifacte for encryption, I end up in the same strange problem. Even SAMBA struggles when connecting to LDAP services - because it also can not find the target. So, I suspect some problems with FreeBSD 7.0-CURRENT. Is nobody out here utilizing FBSD 7.0 in combination with OpenLDAP (most recent version as taken from the ports in conjunction with pam_ldap/nss_ldap)? Strange, regards, Oliver Brian A. Seklecki wrote: > > There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . > You need to set a variety of settings there. What do they look like? > > Remember: pkg_info -L pam_ldap nss_ldap! > > Also, not sure about the TCP FIN_2 issue -- probably just the usual > shakes and bangs with -current. ~BAS > > > On Fri, 28 Sep 2007, O. Hartmann wrote: > >> Thank you for responding. >> So, I'll feel free reporting my bad luck. This is a reference page I >> consulted for some hints, but without success: >> >> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html >> >> >> First, OS ist the most recent FreeBSD 7.0. >> OpenLDAP is openldap-server-2.3.38, standard config, no SASL support >> or anything else apart from default >> PAM_LDAP >> NSS_LDAP >> >> I renamed cached.conf to nscd.conf as suggested (for your information). >> In /etc/nsswitch.conf I changed >> # >> # nsswitch.conf(5) - name service switch configuration file >> # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ >> # >> group: files ldap >> group_compat: nis >> hosts: files dns >> networks: files >> passwd: files ldap >> passwd_compat: nis >> shells: files >> services: compat >> services_compat: nis >> protocols: files >> rpc: files >> >> I also changed /etc/pam.d/sshd to this: >> >> # >> # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ >> # >> # PAM configuration for the "sshd" service >> # >> >> # auth >> auth sufficient pam_opie.so no_warn >> no_fake_prompts >> auth requisite pam_opieaccess.so no_warn >> allow_local >> #auth sufficient pam_krb5.so no_warn >> try_first_pass >> auth sufficient /usr/local/lib/pam_ldap.so no_warn >> try_first_pass >> auth sufficient pam_ssh.so no_warn >> try_first_pass >> auth required pam_unix.so no_warn >> try_first_pass >> >> # account >> account required pam_nologin.so >> #account required pam_krb5.so >> account required pam_login_access.so >> account required pam_unix.so >> >> # session >> #session optional pam_ssh.so >> session required pam_permit.so >> >> # password >> #password sufficient pam_krb5.so no_warn >> try_first_pass >> password required pam_unix.so no_warn >> try_first_pass >> >> Both configuration files for nss_ldap and pam_ldap respective got >> linked to /usr/localetc/openldap/ldap.conf, which looks like this: >> >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> BASE dc=foo,dc=org >> #URI ldapi:/// >> URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/ >> >> #SSL start_tls >> >> #SIZELIMIT 12 >> #TIMELIMIT 15 >> #DEREF never >> >> #TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERT >> allow >> #TLS_REQCERT demand >> #TLS_CHECKPEER yes >> >> My /etc/rc.conf.local file has the following OpenLDAP specific entry: >> >> ########################################################### >> ### OpenLDAP Server ### >> ########################################################### >> slapd_enable="YES" >> #slapd_flags='-d 3 -4 -s 4 -h >> "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' >> slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ >> ldap://192.168.2.210 ldaps://192.168.2.210"' >> slapd_sockets="/var/run/openldap/ldapi" >> >> >> My OpenLDAP config file has SSL-certificates disabled. >> >> After the installation of nss_ldap the slapd server takes several >> decades of seconds to start. But it starts well and after it has >> initiated itself, I can do on the server a simple 'slapcat' and receive. >> >> But I can't access the LDAP server. Doing an 'id testuser' results in >> 'id not found'. >> >> On the console, I receive massively errors like this: >> >> TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; >> tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, >> sending RST and removing tcpcb >> >> Well, I checked sockstat for a listening slapd and I found slapd >> listening on both loopback, local NIC adn on both ports 389 and 636. >> >> So what is wrong ? >> >> Regards, >> a desperate Oliver >> >> >> >> >> Brian A. Seklecki wrote: >>> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS >>> (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), >>> PHP, >>> interactive shell, SFTP, etc.) can be tied into LDAP either directly or >>> via PAM. >>> >>> As for password change, I don't know if anyone has a passwd(1) binary >>> that properly changes the LDAP password attribute -- if there is and its >>> out there, it requires ACL insanity. Like Oracle, you can either >>> understand OpenLDAP ACLs, or you have real work to do >:} >>> >>> Check the nss_pam.conf and nss_ldap.conf configs in local/etc/* >>> -- set to "debug 1" to get debugging info. Feel free to share >>> error messages. >>> >>> ~BAS >>> >>> On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote: >>> >>>> Hello out there, >>>> I have a problem with setting up an FreeBSD box as OpenLDAP server >>>> with several services, like SAMBA, NFS. >>>> >>>> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also >>>> acting as OpenLDAP server. So far. OpenLDAP is up and running, using >>>> TLS/SSL certificate. SAMBA is also up and running - but it never >>>> connects to the OpenLDAP server due to an connection error, but this >>>> shouldn't be the subject here, I have more basic questions about >>>> what FreeBSD already has and what to install additionally. >>>> >>>> I want customers to log in on the FBSD box, so they sould log in >>>> (authenticated via OpenLDAP), change their passwords and shells and >>>> those user specifica should be updated on the LDAP server. >>>> >>>> I already installed pam_ldap-port but ran into trouble because >>>> FreeBSD's nss obviously does not have a tag 'ldap' to refere to an >>>> OpenLDAP server (and not files). >>>> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, >>>> especially if SSL/TLS come into play and I would like to ask those >>>> herein administering those setups, especially within a hybrid >>>> NFS/SAMBA fileservicing environment, where to find up to date >>>> informationes/howto/tipps. >>>> >>>> Most websites and HowTo's I found were Linux related or, if related >>>> to FreeBSD, outdated. >>>> >>>> Sorry beeing so unspecific, but the problem is complex (to me) so I >>>> would better ask for those who are willing to help or give hints and >>>> tips. >>>> >>>> Thanks in advance and for your patience, >>>> Oliver >>>> >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to >>>> "freebsd-questions-unsubscribe@freebsd.org" >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> > > l8* > -lava (Brian A. Seklecki - Pittsburgh, PA, USA) > http://www.spiritual-machines.org/ > > "Guilty? Yeah. But he knows it. I mean, you're guilty. > You just don't know it. So who's really in jail?" > ~Maynard James Keenan >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470247A9.1020401>