0

I'm trying to make one test server to authenticate users against an 389 Directory Server LDAP. I've installed the nscd and nslcd, got them working. Commands like getent passwd work just fine.

Now I need to configure pam_ldap.so PAM module to autenticate users. The man ldap_conf states that:

When authenticating or authorizing a user, pam_ldap first maps the user’s login name to a distinguished name by searching the directory server. This must be possible using the local system’s identity, specified in pam_ldap.conf. (Note that presently only simple authentication is supported for authenticating in this initial step.) To authenticate a user, pam_ldap attempts to bind to the directory server using the distinguished name of the user (retrieved previously). Both simple and SASL authentication mechanisms are supported; in the former case, one should take care to use transport security to prevent the user’s password being transmitted in the clear.

However when trying to authenticate a user, the pam_ldap module does not perform a BIND against an LDAP server to try to authenticate the user.

/etc/nslcd.conf:

# nslcd daemon
uid nslcd
gid ldap

# ldap servers
uri ldaps://127.0.0.1:1636/
uri ldaps://127.0.0.1:1637/
ldap_version 3

# CA certificates for server certificate verification
ssl yes
tls_cacertfile /etc/ca.pem

#TODO: for testing only
tls_reqcert never

# limits
bind_timelimit 30
timelimit 30
idle_timelimit 600

# bind and globals
binddn uid=proxytest,ou=proxies,c=gb
bindpw 123456789
base o=company,c=gb
scope sub

# users
base passwd ou=people,o=company,c=gb
scope passwd sub
filter passwd (objectClass=posixAccount)

# groups
base group ou=group,o=company,c=gb
scope group sub
filter group (objectClass=posixGroup)

/etc/openldap/ldap.conf (it has defaults, it should be good because I overrode everything in the pam_ldap.conf):

# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#URI        ldap://localhost:1389 ldap://localhost:1390
#SIZELIMIT  12
#TIMELIMIT  15
#DEREF      never
TLS_CACERTDIR   /etc/openldap/certs

/etc/pam_ldap.conf:

# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# The man page for this file is pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#

base ou=people,o=company,c=gb

uri ldaps://127.0.0.1:1636/
uri ldaps://127.0.0.1:1637/
ldap_version 3

binddn uid=proxytest,ou=proxies,c=gb
bindpw 123456789

scope sub
timelimit 30
bind_timelimit 30

bind_policy hard
idle_timelimit 600

pam_filter objectclass=posixAccount
pam_login_attribute uid

# Group member attribute
pam_member_attribute memberUid

ssl on
#TODO: for testing only
tls_checkpeer no

# CA certificates for server certificate verification
tls_cacertfile /etc/ca.pem

/etc/nsswitch.conf:

...
passwd:     files ldap
shadow:     files ldap
group:      files ldap
...

With this configuration, the authentication works just fine. The thing is the server goes with reading user's shadow information from the LDAP server with pam_unix module (through nss) - which effectively means that the module reads userPassword out of the LDAP and compares it locally. That is what I do not want to happen. When looking at the LDAP logs (and also on unencrypted network traffic), there is no evidence the system tries to bind under the user who is attemtping to log in:

[19/May/2017:15:20:19 +0200] conn=213 op=0 BIND dn="uid=proxytest,ou=proxies,c=gb" method=128 version=3
[19/May/2017:15:20:19 +0200] conn=213 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=proxytest,ou=proxies,c=gb"

[19/May/2017:15:20:19 +0200] conn=213 op=1 SRCH base="ou=people,o=company,c=gb" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory"
[19/May/2017:15:20:19 +0200] conn=213 op=1 RESULT err=0 tag=101 nentries=1 etime=0

[19/May/2017:15:20:19 +0200] conn=205 op=12 SRCH base="ou=people,o=company,c=gb" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid"
[19/May/2017:15:20:19 +0200] conn=205 op=12 RESULT err=0 tag=101 nentries=1 etime=0

[19/May/2017:15:20:19 +0200] conn=205 op=13 SRCH base="ou=group,o=company,c=gb" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=test,ou=people,o=company,c=gb)))" attrs="cn userPassword memberUid gidNumber uniqueMember"
[19/May/2017:15:20:19 +0200] conn=205 op=13 RESULT err=0 tag=101 nentries=0 etime=0 notes=U

Even rearranging PAM modules so the pam_ldap.so goes before pam_unix.so does not affect this behavior. I'm trying this on CentOS 6.8 x86_64 with pam_ldap-185-11.el6.x86_64, other libraries:

rpm -qa | grep -E "ldap|nss|nscd|nslc"
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
openldap-2.4.40-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
nss-util-3.28.4-1.el6_9.x86_64
nss-sysinit-3.28.4-1.el6_9.x86_64
nss-pam-ldapd-0.7.5-32.el6.x86_64
openldap-clients-2.4.40-16.el6.x86_64
nss-3.28.4-1.el6_9.x86_64
nss-tools-3.28.4-1.el6_9.x86_64
nscd-2.12-1.209.el6_9.1.x86_64
nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64
nss-softokn-3.14.3-23.3.el6_8.x86_64

Also, the relevant pam.d configuration:

cat /etc/pam.d/password-auth
#%PAM-1.0
auth        required      pam_warn.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Is there any way of forcing the pam_ldap.so module to do the LDAP bind under the uid=test,ou=people,o=company,c=gb user? I understand the library will first look its DN in the LDAP and I'm perfectly fine with it. I'm currently out of ideas so even hints are appreciated. :)

Improve this question
2
  • Which pam_ldap are you using? The one that comes with nslcd? The (obsolete) one from PADL?
    – grawity_u1686
    Commented May 19, 2017 at 14:54
  • There is only one pam_ldap.so. Running yum whatprovides *bin/nslcd gives me the nss-pam-ldapd package which I get to deplist. And yum deplist nss-pam-ldapd shows me as an only provider of pam_ldap.so the pam_ldap.x86_64 185-11.el6 package. But considering the config file's header this is probably the PADL version. But nevermind, I made a mistake, the whole thing actually works. :-/
    – Fiisch
    Commented May 19, 2017 at 15:29

1 Answer 1

Reset to default
0

This was actually the "end-of-the-week" problem. Config in question works perfectly fine.

The point here was there are two LDAP servers and by a mere chance the operation of BIND uid=test,ou=people,o=company,c=gb was performed against the other ldap than I was looking into (like 20 or more times actually; bad luck). Also did not appear in the network dump because I managed to make a mistake in the BPF for the tcpdump.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .