Re: central authentication with LDAP
Hello! On Mon, Jan 28, 2002 at 03:55:08PM +0800, Patrick Hsieh wrote: ... Now I'd like to make my Debian GNU/Linux login and authenticate from the LDAP server, where should I begin? ... I have played around with ldap and pam since mid of December, and found that there are some issues with debians packages. The original pam modules are well documented, the newer ones are not. I had to go back to the sources. openldap installer (potato unstable/testing) for libnss-ldap, libpam-ldap configures /etc/ldap/ldap.conf, but the openldap utilities look in /etc/openldap/ldap.conf (just make a symlink). slapd configuration shows you how to secure your database, but in principle does not do it. There are a lot of schemas delivered, so you should not need to make them yourselves, look at /etc/ldap/schema/*, and just include the ones you need in /etc/ldap/slapd.conf On padl's site I downloaded the Migration tools, then crouched one or two of them and now I am able to say on my central autentication host: adduser username - and configure the unix-user user2ldap username Which imports the user entry en /etc/passwd, /etc/shadow into the slapd database, including very nice features like setting surname, GivenName, Telefone numbers, RoomNumber,... It's not baken out, but I would be very glad to share and discuss with other people interested in the same thing. In fact I mailed a collect-mail to some of the maintainers because I think that pam/ldap/nss actuall are dangerous for the non-guru installer, but I only got response from one. Best Regards, Jorge-León -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
Hello! On Mon, Jan 28, 2002 at 03:55:08PM +0800, Patrick Hsieh wrote: ... Now I'd like to make my Debian GNU/Linux login and authenticate from the LDAP server, where should I begin? ... Sorry, I forgot another issue with libpam-ldap: There is an anonymous user, and if you do not authenticate libpam let's you in as that one, without asking for a password. So I put libpam-ldap at the bottom of the pam-auth-stack, with the following options: ... authsufficient pam_ldap.so use_first_pass ignore_unknown_user authrequiredpam_deny.so So unauthenticated login will be denied. However the authentication message is not at my taste then... Best Regards, Jorge-León -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
openldap installer (potato unstable/testing) for libnss-ldap, libpam-ldap configures /etc/ldap/ldap.conf, but the openldap utilities look in /etc/openldap/ldap.conf (just make a symlink). Is this also true for unstable? Also I noticed that the file names in /etc/openldap and /etc/ldap are the same. Can I just symlink the entire /etc/ldap directory to /etc/openldap? On padl's site I downloaded the Migration tools, then crouched one or two of them and now I am able to say on my central autentication host: I will check these out... It's not baken out, but I would be very glad to share and discuss with other people interested in the same thing. Thank you for your generocity. I have been struggling with openldap on debian unstable for weeks now any help or suggestions you may have is greatly appreciated. In fact I mailed a collect-mail to some of the maintainers because I think that pam/ldap/nss actuall are dangerous for the non-guru installer, but I only got response from one. You are telling me. As a non guru I may have totally hosed my system by now. Just today I was seriously thinking about re-installing from scratch. BTW is it possible to downgrade your debian from unstable to testing? I am also thinking about doing that. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Tue, 29 Jan 2002 16:43, Tim Uckun wrote: Using the -x switch to disable SASL is one solution to this (and it's quite adequate for localhost connections). For network connections you may want to get SASL working (I don't know how to do this) or to use TLS (not currently supported in Debian packages last time I checked). Tried that but it didn't work either. What does it do? Please give us the command line you used and the errors that resulted when using the -x. but /etc/init.d/slapd stop will not stop slapd. killall -9 slapd will stop it. Strange. Sounds like a buggy init script. A new set of OpenLDAP packages is due soon, hopefully they'll involve a re-write of the start scripts. It's not the init script. I tried starting it by hand with the same result. The init script is /etc/init.d/slapd. If /etc/init.d/slapd stop doesn't stop it then the init script is buggy. If I start it by hand /usr/sbin/slapd -d 256 the first thing it says is.. daemon: socket() failed errno=22 (invalid argument) then it starts and starts saying The slapd doesn't display enough debugging info. You'll have to strace it to find out what that error means exactly. Actually after it spit out a few thousand connect messages it locked up the computer. The computer kept saying no free files. I had to reboot using the switch!. I went home after that. Something is very very broken but I have no idea what it is.. Sounds like you have some other problems. I suggest changing the init script to run ulimit before starting slapd to limit the number of files it can access. Also change the sysctl entries for the number of files and inodes to double both of them. Then try it again. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Mon, 28 Jan 2002, Patrick Hsieh wrote: Hello list, I just installed openldap and make my own address book on it. Now I'd like to make my Debian GNU/Linux login and authenticate from the LDAP server, where should I begin? I installed libpam-ldap, is it all I have to install? Is there any toturial or howto talking about this deployment? Any ideas highly appreciated. Depends. I did so recently with potatoe. What I had to do: 1. Create your directory-structure in a way which best fits your needs. 2a. Create the user-entries according to posixAccount- and shadowAccount-scheme I wasn't able to find the schema definition for openldap1.2 so I had to create it manual from the schema which comes with openldap2. 2b. Create group-entries according to posixGroup Perhaps it is possible to combine them in one entry since debian uses the same number for uid, gid of one person. I'm currently trying this and it seems to work. 3. Install libpamldap libnssldap nss is a complete replacement for all programs' access to the user-database. It should be possible to run a system with users in ldap without the pam_ldap module. when nsswitch is configured all requests to pam_unix go to ldap anyway. QUESTION: For what exactly do I need the pam_ldap module? 4. setup libpam (pam_ldap.conf) to access your ldap-server 5. setup the programs' confs in /etc/pam.d/ e.g. for su (which I used for testing) auth sufficient pam_rootok.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass accountsufficient pam_ldap.so accountrequired pam_unix.so sessionrequired pam_unix.so 6. setup libnss-ldap.conf to access your ldap-server 7. setup nsswitch.conf to use the libnss-ldap module e.g. passwd: compat ldap group: compat ldap shadow: compat ldap 8. Cross fingers. Push the button. Hope that helps, Florian -- -- Florian Bantner AXON-E Interaktive Medien Tel. +49-941-599 854 4 Fax. +49-941-599 854 1 Mail [EMAIL PROTECTED] Key http://www.axon-e.de/gpg/f.bantner.key 1191 0C87 D9DB 3217 ABBA 5223 6D74 AB19 5C9D FC49 -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Mon, 28 Jan 2002 21:31, Florian Bantner wrote: On Mon, 28 Jan 2002, Patrick Hsieh wrote: 2b. Create group-entries according to posixGroup Perhaps it is possible to combine them in one entry since debian uses the same number for uid, gid of one person. I'm currently trying this and it seems to work. NB, it is not required to store any group data in LDAP. For most installations the group data does not change often at all, and it can be more easily stored in /etc/group. Using /etc/group for the data instead of LDAP reduces the number of queries (keep in mind that queries have to be done for supplemental groups too). 3. Install libpamldap libnssldap nss is a complete replacement for all programs' access to the user-database. It should be possible to run a system with users in ldap without the pam_ldap module. when nsswitch is configured all requests to pam_unix go to ldap anyway. QUESTION: For what exactly do I need the pam_ldap module? nss allows you to replace /etc/passwd and /etc/shadow with LDAP. The PAM LDAP allows you to use non-SUID programs to change user-modifyable data (password, finger name, and shell) based on password authentication. It allows you to use different crypt methods, different LDAP settings for different services (only in woody), and UID/GID limits to what the LDAP can specify, such as UID 100 (not sure if potato has it). auth sufficient pam_rootok.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass accountsufficient pam_ldap.so accountrequired pam_unix.so sessionrequired pam_unix.so I suggest putting pam_unix first and pam_ldap later in the list. If you do otherwise then an LDAP problem can make it impossible to login which is a real bitch. I once had that happen to servers at a secure hosting facility, that was a real PITA. 6. setup libnss-ldap.conf to access your ldap-server You could probably run without it, but ls -l won't show the user-names, and many programs won't like it. libnss-ldap is only used after you've logged in. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote: On Mon, 28 Jan 2002 21:31, Florian Bantner wrote: [snip] auth sufficient pam_rootok.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass accountsufficient pam_ldap.so accountrequired pam_unix.so sessionrequired pam_unix.so I suggest putting pam_unix first and pam_ldap later in the list. If you do otherwise then an LDAP problem can make it impossible to login which is a real bitch. I once had that happen to servers at a secure hosting facility, that was a real PITA. [snip] I haven't looked at the PAM docs enough or bothered testing this, but I think what Florian has above should be fine. pam_ldap.so is sufficient so that if LDAP is working and he types in the right user/pass combination, it should let him in. If LDAP is not working, it should fall through to pam_unix.so and also use the password he already typed in for pam_ldap.so. -- Michael Wood [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Tue, 29 Jan 2002 02:14, Michael Wood wrote: On Mon, Jan 28, 2002 at 11:10:09PM +1100, Russell Coker wrote: auth sufficient pam_rootok.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass accountsufficient pam_ldap.so accountrequired pam_unix.so sessionrequired pam_unix.so I suggest putting pam_unix first and pam_ldap later in the list. If you do otherwise then an LDAP problem can make it impossible to login which is a real bitch. I once had that happen to servers at a secure hosting facility, that was a real PITA. [snip] I haven't looked at the PAM docs enough or bothered testing this, but I think what Florian has above should be fine. I could have guessed that you didn't test it. pam_ldap.so is sufficient so that if LDAP is working and he types in the right user/pass combination, it should let him in. Yes. If LDAP is not working, it should fall through to pam_unix.so and also use the password he already typed in for pam_ldap.so. If LDAP cleanly doesn't work, IE if it rejects the user-name, or if a RST packet is generated by the LDAP server in response to a SYN then things should be fine. If the LDAP server accepts the connection and just does nothing then things can get bad. But feel free to test this out on one of your networks some time, I've already tested it on one of mine mine and had a network of dead machines as a result. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
If the LDAP server accepts the connection and just does nothing then things can get bad. I am having a problem like this (I think). I installed slapd using apt-get and it did not complain. But very strange things are happening. When I do an ldapsearch it hangs for a long time and then returns with ldap_sasl_interactive_bind_s: Can't contact LDAP server This occurs even if I do a ldapsearch -h 127.0.0.1 ps -ax shows ldap running. LSOF shows ldap listening. but /etc/init.d/slapd stop will not stop slapd. killall -9 slapd will stop it. If I start it by hand /usr/sbin/slapd -d 256 the first thing it says is.. daemon: socket() failed errno=22 (invalid argument) then it starts and starts saying daemon: conn=X FS=Y connection from IP=(it's own IP):somehighport (ip=0.0.0.0:34049) accepted Where X and Y are increasing integers So why is slapd running, listening but not answering? :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
On Tue, 29 Jan 2002 11:10, Tim Uckun wrote: If the LDAP server accepts the connection and just does nothing then things can get bad. I am having a problem like this (I think). I installed slapd using apt-get and it did not complain. But very strange things are happening. When I do an ldapsearch it hangs for a long time and then returns with ldap_sasl_interactive_bind_s: Can't contact LDAP server Using the -x switch to disable SASL is one solution to this (and it's quite adequate for localhost connections). For network connections you may want to get SASL working (I don't know how to do this) or to use TLS (not currently supported in Debian packages last time I checked). but /etc/init.d/slapd stop will not stop slapd. killall -9 slapd will stop it. Strange. Sounds like a buggy init script. A new set of OpenLDAP packages is due soon, hopefully they'll involve a re-write of the start scripts. If I start it by hand /usr/sbin/slapd -d 256 the first thing it says is.. daemon: socket() failed errno=22 (invalid argument) then it starts and starts saying The slapd doesn't display enough debugging info. You'll have to strace it to find out what that error means exactly. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: central authentication with LDAP
Using the -x switch to disable SASL is one solution to this (and it's quite adequate for localhost connections). For network connections you may want to get SASL working (I don't know how to do this) or to use TLS (not currently supported in Debian packages last time I checked). Tried that but it didn't work either. but /etc/init.d/slapd stop will not stop slapd. killall -9 slapd will stop it. Strange. Sounds like a buggy init script. A new set of OpenLDAP packages is due soon, hopefully they'll involve a re-write of the start scripts. It's not the init script. I tried starting it by hand with the same result. If I start it by hand /usr/sbin/slapd -d 256 the first thing it says is.. daemon: socket() failed errno=22 (invalid argument) then it starts and starts saying The slapd doesn't display enough debugging info. You'll have to strace it to find out what that error means exactly. Actually after it spit out a few thousand connect messages it locked up the computer. The computer kept saying no free files. I had to reboot using the switch!. I went home after that. Something is very very broken but I have no idea what it is.. -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]