I'm trying to make one test server to authenticate users against an 389 Directory Server LDAP. I've installed the nscd and nslcd, got them working. Commands like getent passwd
work just fine.
Now I need to configure pam_ldap.so PAM module to autenticate users. The man ldap_conf
states that:
When authenticating or authorizing a user, pam_ldap first maps the user’s login name to a distinguished name by searching the directory server. This must be possible using the local system’s identity, specified in pam_ldap.conf. (Note that presently only simple authentication is supported for authenticating in this initial step.) To authenticate a user, pam_ldap attempts to bind to the directory server using the distinguished name of the user (retrieved previously). Both simple and SASL authentication mechanisms are supported; in the former case, one should take care to use transport security to prevent the user’s password being transmitted in the clear.
However when trying to authenticate a user, the pam_ldap module does not perform a BIND against an LDAP server to try to authenticate the user.
/etc/nslcd.conf:
# nslcd daemon
uid nslcd
gid ldap
# ldap servers
uri ldaps://127.0.0.1:1636/
uri ldaps://127.0.0.1:1637/
ldap_version 3
# CA certificates for server certificate verification
ssl yes
tls_cacertfile /etc/ca.pem
#TODO: for testing only
tls_reqcert never
# limits
bind_timelimit 30
timelimit 30
idle_timelimit 600
# bind and globals
binddn uid=proxytest,ou=proxies,c=gb
bindpw 123456789
base o=company,c=gb
scope sub
# users
base passwd ou=people,o=company,c=gb
scope passwd sub
filter passwd (objectClass=posixAccount)
# groups
base group ou=group,o=company,c=gb
scope group sub
filter group (objectClass=posixGroup)
/etc/openldap/ldap.conf (it has defaults, it should be good because I overrode everything in the pam_ldap.conf):
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#URI ldap://localhost:1389 ldap://localhost:1390
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
/etc/pam_ldap.conf:
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# The man page for this file is pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#
base ou=people,o=company,c=gb
uri ldaps://127.0.0.1:1636/
uri ldaps://127.0.0.1:1637/
ldap_version 3
binddn uid=proxytest,ou=proxies,c=gb
bindpw 123456789
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 600
pam_filter objectclass=posixAccount
pam_login_attribute uid
# Group member attribute
pam_member_attribute memberUid
ssl on
#TODO: for testing only
tls_checkpeer no
# CA certificates for server certificate verification
tls_cacertfile /etc/ca.pem
/etc/nsswitch.conf:
...
passwd: files ldap
shadow: files ldap
group: files ldap
...
With this configuration, the authentication works just fine. The thing is the server goes with reading user's shadow information from the LDAP server with pam_unix module (through nss) - which effectively means that the module reads userPassword out of the LDAP and compares it locally. That is what I do not want to happen. When looking at the LDAP logs (and also on unencrypted network traffic), there is no evidence the system tries to bind under the user who is attemtping to log in:
[19/May/2017:15:20:19 +0200] conn=213 op=0 BIND dn="uid=proxytest,ou=proxies,c=gb" method=128 version=3
[19/May/2017:15:20:19 +0200] conn=213 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=proxytest,ou=proxies,c=gb"
[19/May/2017:15:20:19 +0200] conn=213 op=1 SRCH base="ou=people,o=company,c=gb" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory"
[19/May/2017:15:20:19 +0200] conn=213 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[19/May/2017:15:20:19 +0200] conn=205 op=12 SRCH base="ou=people,o=company,c=gb" scope=2 filter="(&(objectClass=posixAccount)(uid=test))" attrs="uid"
[19/May/2017:15:20:19 +0200] conn=205 op=12 RESULT err=0 tag=101 nentries=1 etime=0
[19/May/2017:15:20:19 +0200] conn=205 op=13 SRCH base="ou=group,o=company,c=gb" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=test)(uniqueMember=uid=test,ou=people,o=company,c=gb)))" attrs="cn userPassword memberUid gidNumber uniqueMember"
[19/May/2017:15:20:19 +0200] conn=205 op=13 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
Even rearranging PAM modules so the pam_ldap.so
goes before pam_unix.so
does not affect this behavior. I'm trying this on CentOS 6.8 x86_64 with pam_ldap-185-11.el6.x86_64
, other libraries:
rpm -qa | grep -E "ldap|nss|nscd|nslc"
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
openldap-2.4.40-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
nss-util-3.28.4-1.el6_9.x86_64
nss-sysinit-3.28.4-1.el6_9.x86_64
nss-pam-ldapd-0.7.5-32.el6.x86_64
openldap-clients-2.4.40-16.el6.x86_64
nss-3.28.4-1.el6_9.x86_64
nss-tools-3.28.4-1.el6_9.x86_64
nscd-2.12-1.209.el6_9.1.x86_64
nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64
nss-softokn-3.14.3-23.3.el6_8.x86_64
Also, the relevant pam.d configuration:
cat /etc/pam.d/password-auth
#%PAM-1.0
auth required pam_warn.so
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Is there any way of forcing the pam_ldap.so module to do the LDAP bind under the uid=test,ou=people,o=company,c=gb
user? I understand the library will first look its DN in the LDAP and I'm perfectly fine with it.
I'm currently out of ideas so even hints are appreciated. :)
yum whatprovides *bin/nslcd
gives me thenss-pam-ldapd
package which I get to deplist. Andyum deplist nss-pam-ldapd
shows me as an only provider of pam_ldap.so thepam_ldap.x86_64 185-11.el6
package. But considering the config file's header this is probably the PADL version. But nevermind, I made a mistake, the whole thing actually works. :-/