Re: RedHat 7.3 and LDAP - SOLVED!!
Ok. The problem turned out to be permissions. Somehow during my initial messing around with setting up openldap I had created two of the three database files and assigned them to root:root. When starting up openldap I use -u ldap to switch to the user ldap. Obviously when I run ldapadd I'm unable to perform the operation (again running as user ldap). Not sure how the rights were messed up. Now everyone is happy again :-) Thanks to all who patiently helped me work through our ldap issues. I've learned a great deal these last few weeks! Regards -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
On Thu, 2003-02-06 at 13:29, sentinel wrote: > >> Problem is I'm requiring it for security reasons. Tough call. 777 to /home > >> or no priv seperation. I think I'll check out the PAM modules code and see > >> if there is a work around. > > >I don't know. Are the home directories that are created when you set > /home to 777 owned by the correct user, or by sshd? > > Ok. Set home to 777 and added pam_mkhomedir again to system-auth. When I > login it creates the users home directory just fine. The user is the owner > of the directory. Interesting... If I can do the same thing with the > default /home rights then I'm set. Looks like it switches to the user > account then creates the user's home directory. Bummer :-( Yes, it would seem that privilege separation is not without tradeoffs. More secure sshd becomes less capable. Your other option, I suppose, would be to mount /home from a central NFS server, and you wouldn't have to worry about the pam_mkhomedir module. > > By default, anyone in the world can connect to the LDAP server and read > > data that's not private. There's nothing insecure about that (except > > for the binding part, but you should be filtering these connections at > > your edge firewall). > > We are. However the requirements are pretty strict as defined by my > employer. I'm hoping to convince them it's unnecessary. It shouldn't be too hard. Here's the thing: if you configure the system as an NSS client and bind with a name/password, the users of that system have full access to the data on the LDAP server, just as if there were not password at all. All they have to do is enumerate users using any standard library (trivial in C, Python, or Perl). It's usually just a waste of effort. The data that's going to be readable would have been readable anyway. Users can look at /etc/passwd, and that's no security problem, right? The shadow file hides the password data, just as your LDAP server will by default. > > * stores the username/password in plain text on every machine you > configure as an LDAP client > > * sends the username/password over the network, usually in plain text > > > The last two are where anonymous access is actually more secure than > > forcing authentication for any read access. The data that's readable is > > not sensitive, so avoiding management logins just means that there's > > less privilege that's likely to be escalated. > > Is this also the case when using TLS and LDAP? Yes on the first item, no on the second. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
>> It wasn't working until I enabled
>> PAMAuthenticationViaKbdInt.
> I thought it started working when you added the users' home dir (or
> pam_mkhomedir). Are you sure about that fix?
I could have sworn that was when it started working (/me looks back through
notes). The pam_mkhomedir wasn't added until a few minutes later. It was
then when I noticed a message referencing a missing user home directory that
pam_mkhomedir was added.
Just turned it off and removed pam_mkhomedir. Still able to login with
several accounts just fine. Weird. Didn't do that before :-) I'm tabling
that until later. The point is I can log in now.
>> Problem is I'm requiring it for security reasons. Tough call. 777 to /home
>> or no priv seperation. I think I'll check out the PAM modules code and see
>> if there is a work around.
>I don't know. Are the home directories that are created when you set
/home to 777 owned by the correct user, or by sshd?
Ok. Set home to 777 and added pam_mkhomedir again to system-auth. When I
login it creates the users home directory just fine. The user is the owner
of the directory. Interesting... If I can do the same thing with the
default /home rights then I'm set. Looks like it switches to the user
account then creates the user's home directory. Bummer :-(
> By default, anyone in the world can connect to the LDAP server and read
> data that's not private. There's nothing insecure about that (except
> for the binding part, but you should be filtering these connections at
> your edge firewall).
We are. However the requirements are pretty strict as defined by my
employer. I'm hoping to convince them it's unnecessary.
{snip}
> * stores the username/password in plain text on every machine you
configure as an LDAP client
> * sends the username/password over the network, usually in plain text
> The last two are where anonymous access is actually more secure than
> forcing authentication for any read access. The data that's readable is
> not sensitive, so avoiding management logins just means that there's
> less privilege that's likely to be escalated.
Is this also the case when using TLS and LDAP?
I really do appreciate your assistence! !
I've never dived this deep into LDAP and PAM before. Getting comfortable
with the two finally :-)
Thx again!
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
On Thu, 2003-02-06 at 08:59, sentinel wrote: > > > You're probably not. PAM is always used to authenticate passwords, > > IIRC. > > Even through SSH? I was referring specifically to SSH. I don't believe that sshd, when compiled with PAM support, will ever authenticate passwords without PAM. If you don't believe me, try searching for /etc/passwd or /etc/shadow in /usr/sbin/sshd. They're not there. > It wasn't working until I enabled > PAMAuthenticationViaKbdInt. I thought it started working when you added the users' home dir (or pam_mkhomedir). Are you sure about that fix? > The default is off and the man page for sshd > mentions it "specifies whether PAM challenge response authentication is > allowed. This allows the use of most PAM challenge response authentication > modules..." Yeah, challenge/response is not the same as password authentication. > > A quick search suggests that this is probably due to SSH's new privilege > > separation. You may be able to work around the problem by turning off > > privilege separation in sshd_config. > > Problem is I'm requiring it for security reasons. Tough call. 777 to /home > or no priv seperation. I think I'll check out the PAM modules code and see > if there is a work around. I don't know. Are the home directories that are created when you set /home to 777 owned by the correct user, or by sshd? > >> I wonder if setting a bind user/password would resolve the problem. > >> Currently I connect anonymously to the LDAP server (for testing purposes > only) > > > Binding anonymously will be slightly faster/less overhead and probably > more secure. > > More secure? As I understand it, binding anonymously gives the world the > right to query my LDAP server. Binding with a proxyuser/password restricts > who can query the system. I'm not sure I understand. By default, anyone in the world can connect to the LDAP server and read data that's not private. There's nothing insecure about that (except for the binding part, but you should be filtering these connections at your edge firewall). Restricting reads of non-private data to a specific user: * increases the maintenance overhead of the LDAP service. All systems have to be set up with the username/password * complicates your ACI's needlessly * adds overhead to the system, since every connection has to authenticate in addition to the normal bind/search operations. * stores the username/password in plain text on every machine you configure as an LDAP client * sends the username/password over the network, usually in plain text The last two are where anonymous access is actually more secure than forcing authentication for any read access. The data that's readable is not sensitive, so avoiding management logins just means that there's less privilege that's likely to be escalated. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
>> Ok. I have it working now. The problem was my sshd_config wasn't setup to >> authenticate using PAM modules. Seems it's turned off by default (I'f I'm >> reading this correctly). > You're probably not. PAM is always used to authenticate passwords, > IIRC. Even through SSH? It wasn't working until I enabled PAMAuthenticationViaKbdInt. The default is off and the man page for sshd mentions it "specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules..." Until It was enabled I was unable to use LDAP for authentication. >> When I login now I see a message reporting it's creating the users home >> directory however no directory is created. If I chmod 777 /home then the >> directory is created (obviously I don't want to do this). > A quick search suggests that this is probably due to SSH's new privilege > separation. You may be able to work around the problem by turning off > privilege separation in sshd_config. Problem is I'm requiring it for security reasons. Tough call. 777 to /home or no priv seperation. I think I'll check out the PAM modules code and see if there is a work around. >> I wonder if setting a bind user/password would resolve the problem. >> Currently I connect anonymously to the LDAP server (for testing purposes only) > Binding anonymously will be slightly faster/less overhead and probably more secure. More secure? As I understand it, binding anonymously gives the world the right to query my LDAP server. Binding with a proxyuser/password restricts who can query the system. I'm not sure I understand. Thx for all the help guys. Hoping to roll this solution out soon. Looking really good Regards. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
On Tue, 2003-02-04 at 09:45, sentinel wrote: > > Ok. I have it working now. The problem was my sshd_config wasn't setup to > authenticate using PAM modules. Seems it's turned off by default (I'f I'm > reading this correctly). You're probably not. PAM is always used to authenticate passwords, IIRC. > When I login now I see a message reporting it's creating the users home > directory however no directory is created. If I chmod 777 /home then the > directory is created (obviously I don't want to do this). A quick search suggests that this is probably due to SSH's new privilege separation. You may be able to work around the problem by turning off privilege separation in sshd_config. > I wonder if setting a bind user/password would resolve the problem. > Currently I connect anonymously to the LDAP server (for testing purposes only) Binding anonymously will be slightly faster/less overhead and probably more secure. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
> OK, so if you 'ls -l /home', are the uids resolved to names via LDAP? > If you don't have anything in /home, just log in as root, touch a file > in /tmp, and chown it to a user that exists in LDAP, but not > /etc/passwd. If it works, then you're binding properly to the > directory. Ok. I have it working now. The problem was my sshd_config wasn't setup to authenticate using PAM modules. Seems it's turned off by default (I'f I'm reading this correctly). [snip] > Shouldn't be a problem. The way I understand pam authentication against > LDAP, the module actually connects to the directory and attempts to bind > as the user. In that case, the directory server is doing the > authentication, and should work with SSHA. The client system doesn't > have to know anything about the password hash in use. Hmmm... I wonder if that's why my new problem has popped up. When I authenticate against LDAP It says the user's home directory doesn't exist. I've been reading through the RedHat PAM-LIST archives and learned I need to include pam_mkhomedir.so. Here is the new line added to system-auth session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 When I login now I see a message reporting it's creating the users home directory however no directory is created. If I chmod 777 /home then the directory is created (obviously I don't want to do this). I wonder if setting a bind user/password would resolve the problem. Currently I connect anonymously to the LDAP server (for testing purposes only) Thoughts? LDAP is most impressive. I see great potential for it in our environment. Regards -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP
On Mon, 2003-02-03 at 09:28, sentinel wrote: > Ok. I think I know where the problem is. I've spent countless hours > reading through LDPA documentation from the PADL, RedHat and OpenLDAP sites. > I'm running RedHat 7.3 with Netscapes LDAP server (version 6.11). I'm > trying to ssh into a server and authenticate through LDAP. I've also used > authconfig to setup my environment (very easy tool to use I might add). OK, so if you 'ls -l /home', are the uids resolved to names via LDAP? If you don't have anything in /home, just log in as root, touch a file in /tmp, and chown it to a user that exists in LDAP, but not /etc/passwd. If it works, then you're binding properly to the directory. > When I login I receive an error message telling me I've typed in the wrong > password. I "think" the problem is Netscape's LDAP server. When you create > a user and enter a password, the password is encrypted with SSHA. Shouldn't be a problem. The way I understand pam authentication against LDAP, the module actually connects to the directory and attempts to bind as the user. In that case, the directory server is doing the authentication, and should work with SSHA. The client system doesn't have to know anything about the password hash in use. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
On Mon, 2003-01-27 at 10:42, sentinel wrote: > I must be missing something. I'm setting up a Netscape LDAP server running > on RedHat 7.3 and accessing it from a RedHat 8.0 workstation. I've setup > Netscape LDAP servers many times in the past however I never had to worry > about a client until today. You can probably simplify many things by using the vendor provided tool for authentication configuration: authconfig. Try it out and see if you get workable results. I'm running Red Hat Linux 8.0 machines against both iPlanet and OpenLDAP, and haven't had any kind of problem in the setup. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
sentinel said: > > Hmmm... Just noticed that tidbit in the documentation. I'm wondering if > that's my problem. I seem to be getting hits (looking at the netscape > ldap logs) however no info is passed for authentication. I noticed a > section where I can select my password format (don't see MD5). SSHA and a > few others are in a drop down menu. I'll mess around a bit with this. > Hopefully the rest of my setup is fine. > > Thx for the help. If unsuccessful I'll try the openLDAP. I have their > installation/config docs handy. no problem. I also have an extensive OpenLDAP howto: http://howto.aphroland.de/HOWTO/LDAP which may assist in a more rapid deployment. It's more debian centric but I applied it to my redhat 7.3 system here and virtually everything worked fine(only catches were the redhat schema files were different from mine, haven't investigated furhter I just replaced them with my own). nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
Hmmm... Just noticed that tidbit in the documentation. I'm wondering if
that's my problem. I seem to be getting hits (looking at the netscape ldap
logs) however no info is passed for authentication. I noticed a section
where I can select my password format (don't see MD5). SSHA and a few
others are in a drop down menu. I'll mess around a bit with this.
Hopefully the rest of my setup is fine.
Thx for the help. If unsuccessful I'll try the openLDAP. I have their
installation/config docs handy.
Thx again
it also could be misconfigured, what password format are you using? my
OpenLDAP server uses {MD5}, you may need to add another option if your
using another format, also netscape ldap may need yet another option as
well..
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
sentinel said:
> Actually I had setup my ldap.conf however it was missing the
> nss_base_passwd ,the nss_base_group and uri. I'm seeing a new message pop
> up now.
>
> **
> ssh -l user_name ip_address
>
> user_name@ip_address password:
> Permission denied, please try again.
> **
>
> I'm wondering if I'm hitting the ldap server at all. Looking through the
> netscape server logs. Not sure what I'm looking for. Thoughts?
I believe the log for this on redhat would be /var/log/secure that should
show info about SSH, I bet your probably getting a cannot login to server
error. My setup is possibly non-standard, since I use the binddn and
bindpw directives, take those out if you don't use a 3rd party account
to authenticate with the database(I do it so anonymous users cannot query
the database).
it also could be misconfigured, what password format are you using? my
OpenLDAP server uses {MD5}, you may need to add another option if your
using another format, also netscape ldap may need yet another option as
well..
from my old ldap.conf:
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
I'm not sure if you need them or not, I haven't tried authenticating
off a Netscape ldap server yet.
good luck!
nate
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
Actually I had setup my ldap.conf however it was missing the nss_base_passwd ,the nss_base_group and uri. I'm seeing a new message pop up now. ** ssh -l user_name ip_address user_name@ip_address password: Permission denied, please try again. ** I'm wondering if I'm hitting the ldap server at all. Looking through the netscape server logs. Not sure what I'm looking for. Thoughts? Thanks a bunch! stupid question but you didn't mention this: did you put your LDAP info for PAM in /etc/ldap.conf ? mine looks like: host 10.10.10.7 base ou=People,o=aphroland,c=us uri ldaps://redhat.aphroland.org:6360/ ldap_version 3 binddn cn=nss,o=aphroland,c=us bindpw MY_SUPER_SECRET_PASSWORD port 6360 nss_base_passwd ou=People,o=aphroland,c=us?one nss_base_group ou=Group,o=aphroland,c=us?one -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: RedHat 7.3 and LDAP setup
sentinel said: > > I'm trying to ssh to the server from my client and authenticate via LDAP. > On the server I have 'files ldap' entries setup for nsswitch.conf and > checked /etc/pam.d/sshd to make sure ldap entries are in place. When I > connect I receive a message to "Enter LDAP Password". stupid question but you didn't mention this: did you put your LDAP info for PAM in /etc/ldap.conf ? mine looks like: host 10.10.10.7 base ou=People,o=aphroland,c=us uri ldaps://redhat.aphroland.org:6360/ ldap_version 3 binddn cn=nss,o=aphroland,c=us bindpw MY_SUPER_SECRET_PASSWORD port 6360 nss_base_passwd ou=People,o=aphroland,c=us?one nss_base_group ou=Group,o=aphroland,c=us?one -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
