Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?

[O. Hartmann]

All right, here's next step.

As I mentioned, I linked both local/etc/ldap.conf and 
local/etc/nss_pam.conf symbolically to /local/etc/openldap/ldap.conf 
(OpenLDAP's ldap.conf). This file only contains a restricted common 
subset of options understood by OpenLDAP's clients, nss_ldap and 
pam_ldap. Obviously, this did not work (again: I already installed 
successfully OpenLDAP, nss_ldap and pam_ldap!).

So I turned to have separate files for each library and facility. The 
only thing I changed was the default dc=xxx tags and the uri tag to 
access either local socket, local secure port or local normal port. On 
all three facilities OpenLDAP was listening, as sockstat(1) reported 
positively.

Well, I also changed /etc/nsswitch.conf to look first for 'giles', the 
nfor 'ldap' for group and passwords. I also have ACLs defined in slpad.conf.

The problem at the moment is, when nss_ldap running, login as root on 
console takes several minutes (like a NIS server has gone away and I 
thing nss_ldap does not reach its LDAP server so it is of the same 
quality like a missing NIS). I tried to avoid this having 'files' prior 
to 'ldap' in nsswitch.conf, but that does not work.
Logins from outside is impossible, I see a lot of error messages on 
console nss_ldap can't contact it's OpenLDAP server.
When logged in on console, I can do a simple slapcat(1) and get a lot of 
definitions, so tis shows a running and resping OpenLDAP server.

I feel seriously desperate because I don't know how to trace the 
communication paths between the pam/nss clients and the OpenLDAP server.

At the beginning of setting up the environment, I followed strictly 
suggestions and examples shown in the OpenLDAP tutorials from OpenLDAP 
itself - but with no success! Other tutorials around the web targetting 
mostly outdated environments (FreeBSD 5.1, older OpenLDAP versions or 
strange Linux setups).

In my case, I expect some errors from the OpenLDAP server if a client 
tries to access the server itself without having permissions granted 
accessing, reading or even writing to the directory, but all I get is a 
failure in connecting to the OpenLDAP server as it would not exists. 
This is strange! maybe it is also a problem with the TLS/SLL facility, 
but this should also be reported either by the client or the OpenLDAP 
server itself. But nothing is shown so far reflecting a problem. Without 
any SSL/TLS certifacte for encryption, I end up in the same strange 
problem. Even SAMBA struggles when connecting to LDAP services - because 
it also can not find the target.

So, I suspect some problems with FreeBSD 7.0-CURRENT. Is nobody out here 
 utilizing FBSD 7.0 in combination with OpenLDAP (most recent version 
as taken from the ports in conjunction with pam_ldap/nss_ldap)?

Strange,

regards,
Oliver
Brian A. Seklecki wrote:

There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc . 
You need to set a variety of settings there.  What do they look like?

Remember: pkg_info -L pam_ldap nss_ldap!

Also, not sure about the TCP FIN_2 issue -- probably just the usual 
shakes and bangs with -current.  ~BAS


On Fri, 28 Sep 2007, O. Hartmann wrote:

Thank you for responding.
So, I'll feel free reporting my bad luck. This is a reference page I 
consulted for some hints, but without success:

http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html 


First, OS ist the most recent FreeBSD 7.0.
OpenLDAP is openldap-server-2.3.38, standard config, no SASL support 
or anything else apart from default
PAM_LDAP
NSS_LDAP

I renamed cached.conf to nscd.conf as suggested (for your information).
In /etc/nsswitch.conf I changed
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I also changed /etc/pam.d/sshd to this:

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn 
allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn 
try_first_pass
auth            sufficient      pam_ssh.so              no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
password        required        pam_unix.so             no_warn 
try_first_pass

Both configuration files for nss_ldap and pam_ldap respective got 
linked to /usr/localetc/openldap/ldap.conf, which looks like this:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=foo,dc=org
#URI    ldapi:///
URI     ldapi://%2fvar%2frun%2fopenldap%2fldapi/

#SSL     start_tls

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

#TLS_CACERT    #TLS_CERT      #TLS_KEY               #TLS_REQCERT    
allow
#TLS_REQCERT    demand
#TLS_CHECKPEER  yes

My /etc/rc.conf.local file has the following OpenLDAP specific entry:

###########################################################
### OpenLDAP Server                                     ###
###########################################################
slapd_enable="YES"
#slapd_flags='-d 3 -4 -s 4 -h 
"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"'
slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ 
ldap://192.168.2.210 ldaps://192.168.2.210"'
slapd_sockets="/var/run/openldap/ldapi"


My OpenLDAP config file has SSL-certificates disabled.

After the installation of nss_ldap the slapd server takes several 
decades of seconds to start. But it starts well and after it has 
initiated itself, I can do on the server a simple 'slapcat' and receive.

But I can't access the LDAP server. Doing an 'id testuser' results in 
'id not found'.

On the console, I receive massively errors like this:

TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>; 
tcp_do_segment: FIN_WAIT_2: Received data after socket was closed, 
sending RST and removing tcpcb

Well, I checked sockstat for a listening slapd and I found slapd 
listening on both loopback, local NIC adn on both ports 389 and 636.

So what is wrong ?

Regards,
a desperate Oliver




Brian A. Seklecki wrote:
FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
(PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), 
PHP,
interactive shell, SFTP, etc.) can be tied into LDAP either directly or
via PAM.

As for password change, I don't know if anyone has a passwd(1) binary
that properly changes the LDAP password attribute -- if there is and its
out there, it requires ACL insanity.  Like Oracle, you can either
understand OpenLDAP ACLs, or you have real work to do  >:}

        Check the nss_pam.conf and nss_ldap.conf configs in local/etc/*
        -- set to "debug 1" to get debugging info.  Feel free to share
        error messages.

~BAS

On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote:

Hello out there,
I have a problem with setting up an FreeBSD box as OpenLDAP server 
with several services, like SAMBA, NFS.

The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also 
acting as OpenLDAP server. So far. OpenLDAP is up and running, using 
TLS/SSL certificate. SAMBA is also up and running - but it never 
connects to the OpenLDAP server due to an connection error, but this 
shouldn't be the subject here, I have more basic questions about 
what FreeBSD already has and what to install additionally.

I want customers to log in on the FBSD box, so they sould log in 
(authenticated via OpenLDAP), change their passwords and shells and 
those user specifica should be updated on the LDAP server.

I already installed pam_ldap-port but ran into trouble because 
FreeBSD's nss obviously does not have a tag 'ldap' to refere to an 
OpenLDAP server (and not files).
Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff, 
especially if SSL/TLS come into play and I would like to ask those 
herein administering those setups, especially within a hybrid 
NFS/SAMBA fileservicing environment, where to find up to date 
informationes/howto/tipps.

Most websites and HowTo's I found were Linux related or, if related 
to FreeBSD, outdated.

Sorry beeing so unspecific, but the problem is complex (to me) so I 
would better ask for those who are willing to help or give hints and 
tips.

Thanks in advance and for your patience,
Oliver

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"












l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
           http://www.spiritual-machines.org/

    "Guilty? Yeah. But he knows it. I mean, you're guilty.
    You just don't know it. So who's really in jail?"
    ~Maynard James Keenan


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"