Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

LDAP authentication next to normal authentication
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Bart B
n00b
n00b


Joined: 01 Jul 2002
Posts: 20
Location: Netherlands
PostPosted: Mon Jul 24, 2006 2:01 pm    Post subject: LDAP authentication next to normal authentication Reply with quote
Hello,

I'm currently busy setting up a small home server ( 4 users ) which will run some of the more usual programs (Postfix, IMAP (courier?), Apache, SAMBA, NFS server). Configuring of all the other deamons shoudl be no problem, as I've done that a number of times before.

On previous server systems that I installed, I used the configuration files of the individual deamons for passwords and users. I figured that using LDAP would be better. I installed openLDAP and got it up and running (phpLDAPAdmin can be used to browse trough users).

There is only 1 problem, I do not want the " root" account and other system accounts into the LDAP server, as it would mean that they cannot be identified or log on when SLAPD dies on me. I don't really know where to find information on how this is achieved?

many thanks,

Bart
_________________
deskktop: AMD64 X2 +3800, 2GB MEM, MSI K8N Neo4, nVidia 7600GT running 64-bit gentoo.
server: DUAL PIII-733Mhz, 1,5GB Kingston CAS2 @133Mhz, MSI6321 VIA Apollo Chipset.
Back to top
View user's profile Send private message
hensan
l33t
l33t


Joined: 26 Jun 2003
Posts: 868
Location: Sweden
PostPosted: Mon Jul 24, 2006 6:52 pm    Post subject: Reply with quote
Modify the auth lines in your /etc/pam.d/system-auth to something like this:

Code:
auth       required     pam_env.so
auth       sufficient   pam_ldap.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so


That way the system will try to authenticate you against ldap first and then try passwd/shadow if that fails.

Edit: You'll need to install pam_ldap to get the module.

Last edited by hensan on Mon Jul 24, 2006 7:01 pm; edited 1 time in total
Back to top
View user's profile Send private message
tuxmagi
n00b
n00b


Joined: 22 Oct 2004
Posts: 68
Location: Providence, RI
PostPosted: Mon Jul 24, 2006 6:55 pm    Post subject: LDAP Configuration Reply with quote
If you configure nsswitch.conf, nsswitch.ldap, and /etc/pam.d/system-auth the same way that is done in the Gentoo howtos that I've seen on this topic, the root and system users will still be local to each machine. The only users that will be LDAPed are the ones that you add to the tree yourself.
_________________
An introductory exercise in differential geometry: Is Middle Earth flat? (My Igloo)
Back to top
View user's profile Send private message
Bart B
n00b
n00b


Joined: 01 Jul 2002
Posts: 20
Location: Netherlands
PostPosted: Wed Aug 02, 2006 9:28 pm    Post subject: PAM authentication now problematic Reply with quote
Hi,

I now have the problem that normal authentication request are received by LDAP, but the process connecting to LDAP is not authenticating itself

running the "command su - bart" (where bart is the name of a user only known in LDAP)

Code:

ug  3 02:10:17 aztec slapd[5547]: conn=16 fd=8 ACCEPT from IP=127.0.0.1:39535 (IP=0.0.0.0:636)
Aug  3 02:10:17 aztec slapd[5547]: conn=16 fd=8 TLS established tls_ssf=256 ssf=256
Aug  3 02:10:17 aztec slapd[5547]: conn=16 op=0 BIND dn="" method=128
Aug  3 02:10:17 aztec slapd[5547]: conn=16 op=0 RESULT tag=97 err=0 text=
Aug  3 02:10:17 aztec slapd[5547]: conn=16 op=1 SRCH base="ou=People,dc=beumer,dc=xs4all,dc=nl" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=bart))"
Aug  3 02:10:17 aztec slapd[5547]: conn=16 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Aug  3 02:10:17 aztec slapd[5547]: conn=16 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug  3 02:10:17 aztec slapd[5547]: conn=16 fd=8 closed (connection lost)

please notice the 3rd line, BIND dn=""

when connecting to LDAP using phpLDAPadmin I can see the following
Code:

Aug  3 02:14:36 aztec slapd[5547]: conn=33 fd=26 ACCEPT from IP=127.0.0.1:37841 (IP=0.0.0.0:636)
Aug  3 02:14:36 aztec slapd[5547]: conn=33 fd=26 TLS established tls_ssf=256 ssf=256
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=0 BIND dn="cn=Manager,dc=beumer,dc=xs4all,dc=nl" method=128
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=0 BIND dn="cn=Manager,dc=beumer,dc=xs4all,dc=nl" mech=SIMPLE ssf=0
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=0 RESULT tag=97 err=0 text=
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=1 SRCH attr=namingContexts
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug  3 02:14:36 aztec slapd[5547]: conn=33 op=2 SRCH base="uid=bart,ou=People,dc=beumer,dc=xs4all,dc=nl" scope=1 deref=0 filter="(objectClass=*)"

please notice that dn is now filled.

My guess is, that I've forgotten some configuration parameter in my configuration


/etc/ldap.conf
Code:

ssl start_tls
ssl on
suffix "dc=beumer,dc=xs4all,dc=nl"

uri ldaps://beumer.xs4all.nl
uri ldapi://%2fvar%2frun%2fldapi_sock/
pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=beumer,dc=xs4all,dc=nl
nss_base_shadow ou=People,dc=beumer,dc=xs4all,dc=nl
nss_base_group  ou=Group, dc=beumer,dc=xs4all,dc=nl
nss_base_hosts  ou=Hosts, dc=beumer,dc=xs4all,dc=nl

scope one


/etc/openldap/ldap.conf
Code:

BASE        dc=beumer,dc=xs4all,dc=nl
URI         ldaps://beumer.xs4all.nl:636/
TLS_REQCERT allow


/etc/openldap/slapd.conf
Code:

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema

password-hash {md5}

TLSCertificateFile     /etc/ssl/ldap.pem
TLSCertificateKeyFile  /etc/openldap/ssl/ldap.pem
TLSCACertificateFile   /etc/ssl/ldap.pem

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

_________________
deskktop: AMD64 X2 +3800, 2GB MEM, MSI K8N Neo4, nVidia 7600GT running 64-bit gentoo.
server: DUAL PIII-733Mhz, 1,5GB Kingston CAS2 @133Mhz, MSI6321 VIA Apollo Chipset.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy