Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

At Fri, 22 Sep 2017 16:34:44 +0200 m.wan...@t-online.de wrote:

> 
> Am 22.09.2017 um 15:45 schrieb Robert Heller:
> > At Fri, 22 Sep 2017 10:47:29 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= 
> >  wrote:
> > 
> >>
> >> Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
> >> schrieb Robert Heller :
> >> [...]
> >>
> >>> Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <=3D acl_mask: [1]
> >>> mask: write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
> >>> slapd[17535]: =3D> slap_access_allowed: search access granted by
> >>> write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
> >>> =3D> access_allowed: search access granted by write(=3Dwrscxd) Sep 21
> >>> 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=3D1000 op=3D11 SEARCH
> >>> RESULT tag=3D101 err=3D0 nentries=3D0 text=3D
> >> [...]
> >>
> >> You should find out why operation 11 results in 0 entries.
> > 
> > Operation 11 *seems* to be fetching the uid, using self, which has write 
> > access, which implies read access, which seems to work just fine, using 
> > ldapsearch from the command line:
> > 
> > [heller@c764guest ~]$ ldapsearch -D 
> > uid=test2user,ou=People,dc=deepsoft,dc=com -W -LLL '(uid=test2user)' uid
> > Enter LDAP Password: 
> > dn: uid=test2user,ou=People,dc=deepsoft,dc=com
> > uid: test2user
> > 
> > I don't know what is going on here.
> > 
> > Also: there is a "TLS negotiation failure" failure. I have not even enabled
> > TLS and/or ssl. At least I don't think I have it enabled. I *think* I have 
> > it
> > disabled everywhere. I want to test things without messing with creating a 
> > SSL
> > Cert (none of this is anything close to a public facing production
> > environment). I have ldap_id_use_start_tls set to false in 
> > /etc/sssd/sssd.conf 
> > -- is there some other option I need to set?
> > 
> Ok, if you use auth_provider = ldap in your sssd  SSL/TLS is a must.
> IMHO it isn't possible to get it work without.

Yesh :-(. Now I have to get the SSL/TLS working... I have a cert now, but it
is own my own CA and I am not sure how to get that to work...

> 

> 
> best regards
> Michael
> 
> > Is there any change that selinux is having any effect?  Selinux can be 
> > pesky 
> > at times.
> > 
> >>
> >> -Dieter
> >>
> >> --=20
> >> Dieter Kl=C3=BCnter | Systemberatung
> >> http://sys4.de
> >> GPG Key ID: E9ED159B
> >> 53=C2=B037'09,95"N
> >> 10=C2=B008'02,42"E
> >>
> >> 
> >>
> > 
> 
> 

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services

   

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

At Fri, 22 Sep 2017 07:36:48 -0700 Quanah Gibson-Mount  wrote:

> 
> --On Friday, September 22, 2017 10:45 AM -0400 Robert Heller 
>  wrote:
> 
> 
> > Operation 11 *seems* to be fetching the uid, using self, which has write
> > access, which implies read access, which seems to work just fine, using
> > ldapsearch from the command line:
> >
> > [heller@c764guest ~]$ ldapsearch -D
> > uid=test2user,ou=People,dc=deepsoft,dc=com -W -LLL '(uid=test2user)' uid
> > Enter LDAP Password:
> > dn: uid=test2user,ou=People,dc=deepsoft,dc=com
> > uid: test2user
> 
> Is PAM actually bound as uid=testuser2, or is it bound as anonymous or some 
> other DN?  I can't tell from the little snippet of log that was in this 
> thread.  So yes, it works for you using ldapsearch when you bind as 
> uid=test2user, but is that what pam is using?

It *seems* to be matching on the ACL for "self" in op 11.

But it turns out that sssd insists on using SSL/TLS, so I need to get that 
working first...

> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 
> 
> 
>   

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Quanah Gibson-Mount]

--On Friday, September 22, 2017 10:45 AM -0400 Robert Heller 
 wrote:




Operation 11 *seems* to be fetching the uid, using self, which has write
access, which implies read access, which seems to work just fine, using
ldapsearch from the command line:

[heller@c764guest ~]$ ldapsearch -D
uid=test2user,ou=People,dc=deepsoft,dc=com -W -LLL '(uid=test2user)' uid
Enter LDAP Password:
dn: uid=test2user,ou=People,dc=deepsoft,dc=com
uid: test2user


Is PAM actually bound as uid=testuser2, or is it bound as anonymous or some 
other DN?  I can't tell from the little snippet of log that was in this 
thread.  So yes, it works for you using ldapsearch when you bind as 
uid=test2user, but is that what pam is using?


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Michael Wandel]

Am 22.09.2017 um 15:45 schrieb Robert Heller:
> At Fri, 22 Sep 2017 10:47:29 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= 
>  wrote:
> 
>>
>> Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
>> schrieb Robert Heller :
>> [...]
>>
>>> Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <=3D acl_mask: [1]
>>> mask: write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
>>> slapd[17535]: =3D> slap_access_allowed: search access granted by
>>> write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
>>> =3D> access_allowed: search access granted by write(=3Dwrscxd) Sep 21
>>> 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=3D1000 op=3D11 SEARCH
>>> RESULT tag=3D101 err=3D0 nentries=3D0 text=3D
>> [...]
>>
>> You should find out why operation 11 results in 0 entries.
> 
> Operation 11 *seems* to be fetching the uid, using self, which has write 
> access, which implies read access, which seems to work just fine, using 
> ldapsearch from the command line:
> 
> [heller@c764guest ~]$ ldapsearch -D 
> uid=test2user,ou=People,dc=deepsoft,dc=com -W -LLL '(uid=test2user)' uid
> Enter LDAP Password: 
> dn: uid=test2user,ou=People,dc=deepsoft,dc=com
> uid: test2user
> 
> I don't know what is going on here.
> 
> Also: there is a "TLS negotiation failure" failure. I have not even enabled
> TLS and/or ssl. At least I don't think I have it enabled. I *think* I have it
> disabled everywhere. I want to test things without messing with creating a SSL
> Cert (none of this is anything close to a public facing production
> environment). I have ldap_id_use_start_tls set to false in 
> /etc/sssd/sssd.conf 
> -- is there some other option I need to set?
> 
Ok, if you use auth_provider = ldap in your sssd  SSL/TLS is a must.
IMHO it isn't possible to get it work without.


best regards
Michael

> Is there any change that selinux is having any effect?  Selinux can be pesky 
> at times.
> 
>>
>> -Dieter
>>
>> --=20
>> Dieter Kl=C3=BCnter | Systemberatung
>> http://sys4.de
>> GPG Key ID: E9ED159B
>> 53=C2=B037'09,95"N
>> 10=C2=B008'02,42"E
>>
>> 
>>
> 

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Andreas Hasenack]

On Fri, Sep 22, 2017 at 10:45 AM, Robert Heller  wrote:

> At Fri, 22 Sep 2017 10:47:29 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= <
> die...@dkluenter.de> wrote:
>
> >
> > Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
> > schrieb Robert Heller :
> > [...]
> >
> > > Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <=3D acl_mask:
> [1]
> > > mask: write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
> > > slapd[17535]: =3D> slap_access_allowed: search access granted by
> > > write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
> > > =3D> access_allowed: search access granted by write(=3Dwrscxd) Sep 21
> > > 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=3D1000 op=3D11
> SEARCH
> > > RESULT tag=3D101 err=3D0 nentries=3D0 text=3D
> > [...]
> >
> > You should find out why operation 11 results in 0 entries.
>
> Operation 11 *seems* to be fetching the uid, using self, which has write
> access, which implies read access, which seems to work just fine, using
> ldapsearch from the command line:
>
> [heller@c764guest ~]$ ldapsearch -D uid=test2user,ou=People,dc=deepsoft,dc=com
> -W -LLL '(uid=test2user)' uid
> Enter LDAP Password:
> dn: uid=test2user,ou=People,dc=deepsoft,dc=com
> uid: test2user
>

I haven't checked your logs, so apologies if the answers to my points are
in there.

Is your search above the same search done by the tool? Consider:
- base: where does the search start? dc=deepsoft,dc=com? ou=People?
- type of search: base, one, sub
- search filter: is (uid=test2user) the only filter? Usually there are
objectClass filters together with that

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

Things are still not working.  Here is my olcDatabase=\{2}hdb.ldif file 
(which contains the access control):

dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=deepsoft,dc=com
olcRootDN: cn=Manager,dc=deepsoft,dc=com
olcRootPW: {SSHA}rAk/xVPcZRGhumUTuc2T9xngcSQwL5Sx
olcAccess: {0}to attrs=userPassword
  by self write
  by anonymous auth
  by dn=uid=sssd,ou=People,dc=deepsoft,dc=com read
  by dn=uid=nslcd,ou=People,dc=deepsoft,dc=com read
  by * none
olcAccess: {1}to *
  by self write
  by anonymous auth
  by * read
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 7e6a8cd4-30da-1037-9c55-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
entryCSN: 20170918163057.600191Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20170918163057Z

And here is the log files from slapd (run with -s 128) and sssd_map (also with 
debugging enabled):

● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor 
preset: disabled)
   Active: active (running) since Thu 2017-09-21 09:46:06 EDT; 4min 7s ago
 Docs: man:slapd
   man:slapd-config
   man:slapd-hdb
   man:slapd-mdb
   file:///usr/share/doc/openldap-servers/guide.html
  Process: 17533 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} 
$SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 17495 ExecStartPre=/usr/libexec/openldap/check-config.sh 
(code=exited, status=0/SUCCESS)
 Main PID: 17535 (slapd)
   CGroup: /system.slice/slapd.service
   └─17535 /usr/sbin/slapd -u ldap -h ldapi:/// ldap://127.0.0.1/ 
ldap://192.168.250.98/ -s 128

Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] applying 
read(=rscxd) (stop)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] mask: 
read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => slap_access_allowed: 
read access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: result 
not in cache (homeDirectory)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access to "uid=test2user,ou=People,dc=deepsoft,dc=com" "homeDirectory" requested
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_get: [2] attr 
homeDirectory
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_mask: access to 
entry "uid=test2user,ou=People,dc=deepsoft,dc=com", attr "homeDirectory" 
requested
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_mask: to value by 
"uid=sssd,ou=people,dc=deepsoft,dc=com", (=0)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: self
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: 
anonymous
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: *
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] applying 
read(=rscxd) (stop)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] mask: 
read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => slap_access_allowed: 
read access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: result 
not in cache (loginShell)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access to "uid=test2user,ou=People,dc=deepsoft,dc=com" "loginShell" requested
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_get: [2] attr 
loginShell
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_mask: access to 
entry "uid=test2user,ou=People,dc=deepsoft,dc=com", attr "loginShell" requested
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => acl_mask: to value by 
"uid=sssd,ou=people,dc=deepsoft,dc=com", (=0)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: self
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: 
anonymous
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= check a_dn_pat: *
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] applying 
read(=rscxd) (stop)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [3] mask: 
read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => slap_access_allowed: 
read access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access granted by read(=rscxd)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: result 
not in cache (gecos)
Sep 21 09:47:09 c764guest.deepsoft.com slapd[17535]: => access_allowed: read 
access to 

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

At Fri, 22 Sep 2017 10:47:29 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= 
 wrote:

> 
> Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
> schrieb Robert Heller :
> [...]
> 
> > Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <=3D acl_mask: [1]
> > mask: write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
> > slapd[17535]: =3D> slap_access_allowed: search access granted by
> > write(=3Dwrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
> > =3D> access_allowed: search access granted by write(=3Dwrscxd) Sep 21
> > 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=3D1000 op=3D11 SEARCH
> > RESULT tag=3D101 err=3D0 nentries=3D0 text=3D
> [...]
> 
> You should find out why operation 11 results in 0 entries.

Operation 11 *seems* to be fetching the uid, using self, which has write 
access, which implies read access, which seems to work just fine, using 
ldapsearch from the command line:

[heller@c764guest ~]$ ldapsearch -D uid=test2user,ou=People,dc=deepsoft,dc=com 
-W -LLL '(uid=test2user)' uid
Enter LDAP Password: 
dn: uid=test2user,ou=People,dc=deepsoft,dc=com
uid: test2user

I don't know what is going on here.

Also: there is a "TLS negotiation failure" failure. I have not even enabled
TLS and/or ssl. At least I don't think I have it enabled. I *think* I have it
disabled everywhere. I want to test things without messing with creating a SSL
Cert (none of this is anything close to a public facing production
environment). I have ldap_id_use_start_tls set to false in /etc/sssd/sssd.conf 
-- is there some other option I need to set?

Is there any change that selinux is having any effect?  Selinux can be pesky 
at times.

> 
> -Dieter
> 
> --=20
> Dieter Kl=C3=BCnter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53=C2=B037'09,95"N
> 10=C2=B008'02,42"E
> 
> 
> 

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services
 

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
schrieb Robert Heller :
[...]

> Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [1]
> mask: write(=wrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
> slapd[17535]: => slap_access_allowed: search access granted by
> write(=wrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
> => access_allowed: search access granted by write(=wrscxd) Sep 21
> 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=1000 op=11 SEARCH
> RESULT tag=101 err=0 nentries=0 text=
[...]

You should find out why operation 11 results in 0 entries.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT)
schrieb Robert Heller :

> At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?=
>  wrote:
> 
> > 
> > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
> > schrieb Robert Heller :
{...]
> I added:
> 
> logLevel: 128
> 
> to the end of /etc/openldap/slapd.d/cn=config.ldif
> 
> But it does not like it:
> 
> Sep 20 13:59:47 c764guest.deepsoft.com slapd[32362]: UNKNOWN
> attributeDescription "LOGLEVEL" inserted.
> 
> The documentaion talks about loglevel in slapd.conf, but I am not
> using slapd.conf...

I am not talking about logging and loglevel, I am talkling about
debugging and debug level.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT)
schrieb Robert Heller :

> At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?=
>  wrote:
> 
> > 
> > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
> > schrieb Robert Heller :
> >   
> > > OK, I fixed the ACLs (I think), but it is still not working.  I
> > > turned on verbose debugging for sssd[pam] and moderate debugging
> > > for slapd.
> > >=20
> > > Here are my ACLs
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{2}hdb.ldif:
> > >=20
> > > olcAccess: {0}to attrs=3DuserPassword
> > >   by self write
> > >   by anonymous auth
> > >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> > >   by * none
> > > olcAccess: {1}to *
> > >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> > >   by * read
> > >=20
> > > There are also these olcAccess entries:
> > >=20
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{0}config.ldif:
> > >=20
> > > olcAccess: {0}to * by
> > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern
> > > al,cn=3D=  
> > auth"  
> > > manage by * none
> > >=20
> > > and
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{1}monitor.ldif:
> > >=20
> > > olcAccess: {0}to * by
> > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern
> > > al,cn=3D=  
> > auth"  
> > > read by dn.base=3D"cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by *
> > > none  
> > [...]
> > 
> > You may run slapd in debugging mode 128.  
> 
> How do I do that using the "new" configuration method in 
> /etc/openldap/slapd.d?
> 
> I added:
> 
> logLevel: 128
> 
> to the end of /etc/openldap/slapd.d/cn=config.ldif
> 
> But it does not like it:
[...]

man slapd(8),
$(EXECDIR)/slapd -h ldap:/// -F $(CONFIGDIR)/slapd.d -u $USER -g
$GROUP -d 128

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?= 
 wrote:

> 
> Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
> schrieb Robert Heller :
> 
> > OK, I fixed the ACLs (I think), but it is still not working.  I
> > turned on verbose debugging for sssd[pam] and moderate debugging for
> > slapd.
> >=20
> > Here are my ACLs
> > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{2}hdb.ldif:
> >=20
> > olcAccess: {0}to attrs=3DuserPassword
> >   by self write
> >   by anonymous auth
> >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> >   by * none
> > olcAccess: {1}to *
> >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> >   by * read
> >=20
> > There are also these olcAccess entries:
> >=20
> > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{0}config.ldif:
> >=20
> > olcAccess: {0}to * by
> > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern al,cn=3D=
> auth"
> > manage by * none
> >=20
> > and in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{1}monitor.ldif:
> >=20
> > olcAccess: {0}to * by
> > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern al,cn=3D=
> auth"
> > read by dn.base=3D"cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by * none
> [...]
> 
> You may run slapd in debugging mode 128.

How do I do that using the "new" configuration method in 
/etc/openldap/slapd.d?

I added:

logLevel: 128

to the end of /etc/openldap/slapd.d/cn=config.ldif

But it does not like it:

Sep 20 13:59:47 c764guest.deepsoft.com slapd[32362]: UNKNOWN 
attributeDescription "LOGLEVEL" inserted.

The documentaion talks about loglevel in slapd.conf, but I am not using 
slapd.conf...

> 
> -Dieter
> 
> --=20
> Dieter Kl=C3=BCnter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53=C2=B037'09,95"N
> 10=C2=B008'02,42"E
> 
>  

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services
 

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
schrieb Robert Heller :

> OK, I fixed the ACLs (I think), but it is still not working.  I
> turned on verbose debugging for sssd[pam] and moderate debugging for
> slapd.
> 
> Here are my ACLs
> in /etc/openldap/slapd.d/cn\=config/olcDatabase\={2}hdb.ldif:
> 
> olcAccess: {0}to attrs=userPassword
>   by self write
>   by anonymous auth
>   by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
>   by * none
> olcAccess: {1}to *
>   by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
>   by * read
> 
> There are also these olcAccess entries:
> 
> in /etc/openldap/slapd.d/cn\=config/olcDatabase\={0}config.ldif:
> 
> olcAccess: {0}to * by
> dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth"
> manage by * none
> 
> and in /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}monitor.ldif:
> 
> olcAccess: {0}to * by
> dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth"
> read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none
[...]

You may run slapd in debugging mode 128.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?= 
 wrote:

> 
> 
> 
> Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit :
> > I am having a hard time setting a user password using ldap (OpenLDAP
> > 2.4.40-13.el7) on a CentOS 7 system.
> >
> > I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie=
> nt),
> > nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
> > created a user in the ldap database, and getent works just fine -- the =
> uid and
> > gid are seen, etc. But I cannot set the user's password in a way that w=
> orks
> > for su (and presumably login/slogin, etc.).  I am using ldappasswd to s=
> et the
> > user's password.
> >
> > I am thinking that PAM and ldappasswd are using *different* oneway encr=
> yption
> > methods and I am guessing I need to update a configuration somewhere (e=
> ither
> > for pam, sssd, or nslcd), but I am not finding it.
> 
> PAM is an LDAP client so does not read the password, it just sends BIND=20
> requests and OpenLDAP server then check the passsword by using the=20
> hashing method corresponding to the current password value.
> 
> Can you check in your server ACLs (olcAccess parameter) that anonymous=20
> users have the 'auth' right on userPassword attribute?

OK, I will check...

> 
> --=20
> Cl=C3=A9ment OUDOT
> Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9
> Savoir-faire Linux
> 137 boulevard de Magenta - 75010 PARIS
> Blog: http://sflx.ca/coudot
> 
> 
>   
>  

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services
  

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Clément OUDOT]

Le 19/09/2017 à 18:45, Robert Heller a écrit :

I am having a hard time setting a user password using ldap (OpenLDAP
2.4.40-13.el7) on a CentOS 7 system.

I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client),
nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
created a user in the ldap database, and getent works just fine -- the uid and
gid are seen, etc. But I cannot set the user's password in a way that works
for su (and presumably login/slogin, etc.).  I am using ldappasswd to set the
user's password.

I am thinking that PAM and ldappasswd are using *different* oneway encryption
methods and I am guessing I need to update a configuration somewhere (either
for pam, sssd, or nslcd), but I am not finding it.


PAM is an LDAP client so does not read the password, it just sends BIND 
requests and OpenLDAP server then check the passsword by using the 
hashing method corresponding to the current password value.


Can you check in your server ACLs (olcAccess parameter) that anonymous 
users have the 'auth' right on userPassword attribute?


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Getting ldappasswd and PAM in the same page under CentOS 7

[Robert Heller]

I am having a hard time setting a user password using ldap (OpenLDAP 
2.4.40-13.el7) on a CentOS 7 system.

I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client),
nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
created a user in the ldap database, and getent works just fine -- the uid and
gid are seen, etc. But I cannot set the user's password in a way that works
for su (and presumably login/slogin, etc.).  I am using ldappasswd to set the 
user's password.

I am thinking that PAM and ldappasswd are using *different* oneway encryption 
methods and I am guessing I need to update a configuration somewhere (either 
for pam, sssd, or nslcd), but I am not finding it.

-- 
Robert Heller -- 978-544-6933
Deepwoods Software-- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
hel...@deepsoft.com   -- Webhosting Services