LDAP Client configuration for authentication?

Home Page Forums Network Management Linux and Networking LDAP Client configuration for authentication?

This topic contains 16 replies, has 0 voices, and was last updated by  dbs 3 years, 3 months ago.

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #41378

    dbs
    Member

    I’d like to use my Zeroshell server as an LDAP authentication host, but I can’t seem to get the configuration stable.

    Right now ‘finger’ works correctly on an LDAP account, but doing ‘id’ against them (or anything else that requires an actual auth lookup) does not.

    I’ve changed /etc/nsswitch.conf to say ‘ldap’ for group and passwd:

    passwd:         compat ldap
    group: compat ldap

    My ldap.conf has:

    base dc=interlude,dc=homeport,dc=org
    uri ldap://192.168.1.2:389/
    ldap_version 3
    bindpw (redacted)
    rootbinddn cn=admin,dc=interlude,dc=homeport,dc=org

    When trying to do an ‘id’ on an ldap-hosted account, I see in /var/log/auth.log:

    nscd: nss_ldap: failed to bind to LDAP server ldap://192.168.1.2:389/: Invalid credentials

    What am I doing wrong? I’d like to make my LDAP server on the zeroshell box my definitive authentication mechanism (this is a staging environment for a production setup). Help?

    #47318

    imported_fulvio
    Participant

    Use

    rootbinddn cn=manager,dc=interlude,dc=homeport,dc=org

    or anomymous bind.

    Do not forget that Zeroshell uses LDAP only for authorisation. The authentication is managed by Kerberos5 and hence the hash of the password is not stored in LDAP.

    Regards
    Fulvio

    #47319

    dbs
    Member

    I do apologize for the n00b questions – authentication services are relatively new for me (though I used to admin NIS servers. Weep for me)

    @fulvio wrote:

    Use
    rootbinddn cn=manager,dc=interlude,dc=homeport,dc=org
    or anomymous bind.

    Hmm, I don’t have a login called ‘manager’. I do have the default ‘admin’ account – that’s what I’ve been using – should I not use that? Also, does this negate the need for ‘bindpw’?

    @fulvio wrote:

    Do not forget that Zeroshell uses LDAP only for authorisation. The authentication is managed by Kerberos5 and hence the hash of the password is not stored in LDAP.

    Alright, I barely know Kerberos, so I need ot learn that. What I understand here is that I must set up a kerberos server/client configuration (get a client key generated, etc), and set up the shared keys – LDAP will be used for authorization (“Yes, there’s a person named bob”), and k5 will be used for authentication (“and they can access this machine.”) ?

    Thanks again!

    #47320

    imported_fulvio
    Participant

    The manager user shares the password with admin.

    Regards
    Fulvio

    #47321

    dbs
    Member

    @fulvio wrote:

    The manager user shares the password with admin.

    Changing the rootbinddn to ‘manager’ allowed it to work – now ‘id’ operations are working, but logins still are not.

    Is there a guide to setting up Kerberos to work with Zeroshell?

    #47322

    yum
    Member

    I’d suggest you using Fedora distribution. There is an utility called “authconfig-tui”, which works perfectly. You just have to specify “LDAP” for authorization, “Kerberos” for authentificaton, provide Zeroshell’s IP-address for both services, input LDAP base dn and Kerberos realm based on domain name. No need to edit configuration files by hand.

    #47323

    dbs
    Member

    @yum wrote:

    I’d suggest you using Fedora distribution. There is an utility called “authconfig-tui”, which works perfectly. You just have to specify “LDAP” for authorization, “Kerberos” for authentificaton, provide Zeroshell’s IP-address for both services, input LDAP base dn and Kerberos realm based on domain name. No need to edit configuration files by hand.

    While I appreciate the information, and I found similar info out on the net, replacing my distribution is not an option just to get this working. I’ll continue working on finding the answers elsewhere.

    My goal is to have the Zeroshell box essentially function as an ActiveDirectory server – providing a single authentication / authorization service to a range of client machines (windows, linux, mac, etc). On those boxes, I’ll need to set up services for shell access, http authorization, and SAMBA services.

    Any pointers to guides for these services would be helpful, but “replace your OS with this version” is not really an option, thanks.

    #47324

    imported_fulvio
    Participant

    For Linux clients you need to configure pam_krb5.so in the PAM configuration files. In any case, several Linux distributions have their tools for automatic authorisation and authentication configuration.

    To check if the LDAP is correctly configured to provide user information, use the command:

    getent passwd

    Regards
    Fulvio

    #47325

    dbs
    Member

    @fulvio wrote:

    For Linux clients you need to configure pam_krb5.so in the PAM configuration files. In any case, several Linux distributions have their tools for automatic authorisation and authentication configuration.

    Okay, I’ll work on this for ubuntu, and let ya’ll know.

    @fulvio wrote:

    To check if the LDAP is correctly configured to provide user information, use the command:

    getent passwd

    This just shows my local accounts, no LDAP accounts. (ala, getent passwd shows a list of accounts. getent passwd | grep (a known ldap user) shows nothing.

    #47326

    imported_fulvio
    Participant

    You should better configure the file /etc/nsswitch.conf by using the line
    passwd: files ldap

    Regards
    Fulvio

    #47327

    dbs
    Member

    @fulvio wrote:

    You should better configure the file /etc/nsswitch.conf by using the line
    passwd: files ldap

    I’m just getting online now – note the beginning of this thread, I’m using ‘compat ldap’ – is there a difference?

    #47328

    imported_fulvio
    Participant

    If you use compat you need to specify +: in the /etc/passwd

    #47329

    panther
    Member

    I don’t know if this helps, but I had to add these three lines to /etc/ldap.conf to get my connection to work for ‘getent passwd’.

    ssl no
    tls_cacertdir /etc/ssl/certs
    pam_password md5

    I would also love to figure out why I can’t get Apache to authorize a directory with LDAP from Zeroshell. I’ve done the following:

    DAV svn
    SVNParentPath /var/svn
    SVNListparentPath on
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthName “svn-ldap”
    AuthUserFile /dev/null
    AuthLDAPURL “ldap://zeroshell.local:389/dc=SPG?uid?sub?(objectClass=*)”
    AuthLDAPBindDN “cn=manager,dc=SPG”
    AuthLDAPBindPassword
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member

    SSLRequireSSL
    Require valid-user

    And all I ever get is invalid credentials. When doing ldapsearch -x, I can log into LDAP as long as I use simple connections without a password. However, I have *never* been able to log in with any of my users or their passwords. What am I doing wrong? The weird thing is, I have another machine that came pre-installed with other software which *does* allow logins, so it must be something I’ve missed. Any ideas?

    Thanks,
    JH

    #47330

    yum
    Member

    Hi, panther!

    Zeroshell doesn’t store passwords in LDAP. It is impossible to authentificate against Zeroshell’s LDAP. I think you can use mod_auth_pam / mod_auth_kerb instead to authentificate againts Zeroshell’s Kerberos.

    #47331

    imported_fulvio
    Participant

    You are right. Zeroshell authorise with LDAP and authenticate only with Kerberos5 and RADIUS.

    Regards
    Fulvio

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.