www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

LDAP Client configuration for authentication?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Linux and Networking
View previous topic :: View next topic  
Author Message
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Mon Dec 22, 2008 5:40 am    Post subject: LDAP Client configuration for authentication? Reply with quote

I'd like to use my Zeroshell server as an LDAP authentication host, but I can't seem to get the configuration stable.

Right now 'finger' works correctly on an LDAP account, but doing 'id' against them (or anything else that requires an actual auth lookup) does not.

I've changed /etc/nsswitch.conf to say 'ldap' for group and passwd:
Code:
passwd:         compat ldap
group:          compat ldap


My ldap.conf has:
Code:
base dc=interlude,dc=homeport,dc=org
uri ldap://192.168.1.2:389/
ldap_version 3
bindpw (redacted)
rootbinddn cn=admin,dc=interlude,dc=homeport,dc=org


When trying to do an 'id' on an ldap-hosted account, I see in /var/log/auth.log:
Code:
nscd: nss_ldap: failed to bind to LDAP server ldap://192.168.1.2:389/: Invalid credentials


What am I doing wrong? I'd like to make my LDAP server on the zeroshell box my definitive authentication mechanism (this is a staging environment for a production setup). Help?
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Mon Dec 22, 2008 7:52 am    Post subject: Reply with quote

Use

rootbinddn cn=manager,dc=interlude,dc=homeport,dc=org

or anomymous bind.

Do not forget that Zeroshell uses LDAP only for authorisation. The authentication is managed by Kerberos5 and hence the hash of the password is not stored in LDAP.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Mon Dec 22, 2008 4:21 pm    Post subject: Reply with quote

I do apologize for the n00b questions - authentication services are relatively new for me (though I used to admin NIS servers. Weep for me)

fulvio wrote:
Use
rootbinddn cn=manager,dc=interlude,dc=homeport,dc=org
or anomymous bind.


Hmm, I don't have a login called 'manager'. I do have the default 'admin' account - that's what I've been using - should I not use that? Also, does this negate the need for 'bindpw'?


fulvio wrote:
Do not forget that Zeroshell uses LDAP only for authorisation. The authentication is managed by Kerberos5 and hence the hash of the password is not stored in LDAP.


Alright, I barely know Kerberos, so I need ot learn that. What I understand here is that I must set up a kerberos server/client configuration (get a client key generated, etc), and set up the shared keys - LDAP will be used for authorization ("Yes, there's a person named bob"), and k5 will be used for authentication ("and they can access this machine.") ?

Thanks again!
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Mon Dec 22, 2008 5:43 pm    Post subject: Reply with quote

The manager user shares the password with admin.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Tue Dec 23, 2008 3:09 am    Post subject: Reply with quote

fulvio wrote:
The manager user shares the password with admin.


Changing the rootbinddn to 'manager' allowed it to work - now 'id' operations are working, but logins still are not.

Is there a guide to setting up Kerberos to work with Zeroshell?
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
yum



Joined: 21 Dec 2008
Posts: 48

PostPosted: Tue Dec 23, 2008 9:52 am    Post subject: Reply with quote

I'd suggest you using Fedora distribution. There is an utility called "authconfig-tui", which works perfectly. You just have to specify "LDAP" for authorization, "Kerberos" for authentificaton, provide Zeroshell's IP-address for both services, input LDAP base dn and Kerberos realm based on domain name. No need to edit configuration files by hand.
Back to top
View user's profile Send private message
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Tue Dec 23, 2008 4:03 pm    Post subject: Reply with quote

yum wrote:
I'd suggest you using Fedora distribution. There is an utility called "authconfig-tui", which works perfectly. You just have to specify "LDAP" for authorization, "Kerberos" for authentificaton, provide Zeroshell's IP-address for both services, input LDAP base dn and Kerberos realm based on domain name. No need to edit configuration files by hand.


While I appreciate the information, and I found similar info out on the net, replacing my distribution is not an option just to get this working. I'll continue working on finding the answers elsewhere.

My goal is to have the Zeroshell box essentially function as an ActiveDirectory server - providing a single authentication / authorization service to a range of client machines (windows, linux, mac, etc). On those boxes, I'll need to set up services for shell access, http authorization, and SAMBA services.

Any pointers to guides for these services would be helpful, but "replace your OS with this version" is not really an option, thanks.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Tue Dec 23, 2008 5:29 pm    Post subject: Reply with quote

For Linux clients you need to configure pam_krb5.so in the PAM configuration files. In any case, several Linux distributions have their tools for automatic authorisation and authentication configuration.

To check if the LDAP is correctly configured to provide user information, use the command:

getent passwd



Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Tue Dec 23, 2008 5:34 pm    Post subject: Reply with quote

fulvio wrote:
For Linux clients you need to configure pam_krb5.so in the PAM configuration files. In any case, several Linux distributions have their tools for automatic authorisation and authentication configuration.


Okay, I'll work on this for ubuntu, and let ya'll know.


fulvio wrote:
To check if the LDAP is correctly configured to provide user information, use the command:

getent passwd


This just shows my local accounts, no LDAP accounts. (ala, getent passwd <enter> shows a list of accounts. getent passwd | grep (a known ldap user) shows nothing.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Tue Dec 23, 2008 10:44 pm    Post subject: Reply with quote

You should better configure the file /etc/nsswitch.conf by using the line
passwd: files ldap

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
dbs



Joined: 14 Dec 2008
Posts: 8
Location: Natick, MA

PostPosted: Wed Dec 24, 2008 2:56 am    Post subject: Reply with quote

fulvio wrote:
You should better configure the file /etc/nsswitch.conf by using the line
passwd: files ldap


I'm just getting online now - note the beginning of this thread, I'm using 'compat ldap' - is there a difference?
Back to top
View user's profile Send private message AIM Address Yahoo Messenger
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Wed Dec 24, 2008 9:17 am    Post subject: Reply with quote

If you use compat you need to specify +: in the /etc/passwd
Back to top
View user's profile Send private message Send e-mail
panther



Joined: 17 Dec 2007
Posts: 4
Location: Austin, TX, USA

PostPosted: Thu Jan 15, 2009 9:46 am    Post subject: Reply with quote

I don't know if this helps, but I had to add these three lines to /etc/ldap.conf to get my connection to work for 'getent passwd'.

ssl no
tls_cacertdir /etc/ssl/certs
pam_password md5

I would also love to figure out why I can't get Apache to authorize a directory with LDAP from Zeroshell. I've done the following:

<Location>
DAV svn
SVNParentPath /var/svn
SVNListparentPath on
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "svn-ldap"
AuthUserFile /dev/null
AuthLDAPURL "ldap://zeroshell.local:389/dc=SPG?uid?sub?(objectClass=*)"
AuthLDAPBindDN "cn=manager,dc=SPG"
AuthLDAPBindPassword <mypassword>
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member

SSLRequireSSL
Require valid-user
</Location>

And all I ever get is invalid credentials. When doing ldapsearch -x, I can log into LDAP as long as I use simple connections without a password. However, I have *never* been able to log in with any of my users or their passwords. What am I doing wrong? The weird thing is, I have another machine that came pre-installed with other software which *does* allow logins, so it must be something I've missed. Any ideas?

Thanks,
JH
Back to top
View user's profile Send private message
yum



Joined: 21 Dec 2008
Posts: 48

PostPosted: Sat Jan 17, 2009 9:45 am    Post subject: Reply with quote

Hi, panther!

Zeroshell doesn't store passwords in LDAP. It is impossible to authentificate against Zeroshell's LDAP. I think you can use mod_auth_pam / mod_auth_kerb instead to authentificate againts Zeroshell's Kerberos.
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Sat Jan 17, 2009 5:46 pm    Post subject: Reply with quote

You are right. Zeroshell authorise with LDAP and authenticate only with Kerberos5 and RADIUS.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
jhughes



Joined: 29 Jan 2009
Posts: 2

PostPosted: Thu Jan 29, 2009 5:07 am    Post subject: Reply with quote

For whatever reason, I could never get rootbinddn to work until I logged into my zeroshell machine through SSH and manually added the line:

rootbinddn cn=manager,dc=SPG

There's one already there, but it's commented out by default. Then, I had to create a file /etc/ldap.secret and put my login password there, and chmod 600.

Once complete, at least different LDAP clients successfully authenticate. Most of the ones I've been playing with--OpenFiler and Redmine, specifically--refuse to auth when connecting to an LDAP server without a password. I'm kind of new to this, so I could be completely wrong. Smile
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1077

PostPosted: Thu Jan 29, 2009 6:32 pm    Post subject: Reply with quote

The rootbinddn is available in the file /etc/ldap.conf that just can affect the OpenLDAP clients and not the slapd daemon (OpenLDAP server). It is strange that modifying it in Zeroshell it fixes your problem.
In any case, do not forget that Zeroshell cannot authenticate by using LDAP. The authentication is delegated to Kerberos5.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
yannj



Joined: 11 Jan 2016
Posts: 1

PostPosted: Mon Jan 11, 2016 9:28 am    Post subject: Reply with quote

yum wrote:
I'd suggest you using Fedora distribution. There is an utility called "authconfig-tui", which works perfectly. You just have to specify "LDAP" for authorization, "Kerberos" for authentificaton, provide Zeroshell's IP-address for both services, input LDAP base dn and Kerberos realm based on domain name. No need to edit configuration files by hand.


Hi,

I follow this instruction and now I can connect to my fedora 23 VM using zeroshell LDAP.

When I enter the username and password, user information is retrieved into the ldap (as group and organization set in ZS are displayed in the Fedora login window), password is validated as session open, but user is automatically and immediatly disconnected.

I check with local administator the user profile and I can see login and logout in information.

I'm a newbie on ldap, and trying to implemente it for the first time. I check Fedora users and groups documentation, look etc/group and etc/passwd files, without success. I believe this is more a Fedora issue than a Zeroshell one, but I'm thinking you can help me ?

Regards,

Yann
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Linux and Networking All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group