FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?
O. Hartmann
ohartman at zedat.fu-berlin.de
Tue Oct 2 06:29:02 PDT 2007
All right, here's next step.
As I mentioned, I linked both local/etc/ldap.conf and
local/etc/nss_pam.conf symbolically to /local/etc/openldap/ldap.conf
(OpenLDAP's ldap.conf). This file only contains a restricted common
subset of options understood by OpenLDAP's clients, nss_ldap and
pam_ldap. Obviously, this did not work (again: I already installed
successfully OpenLDAP, nss_ldap and pam_ldap!).
So I turned to have separate files for each library and facility. The
only thing I changed was the default dc=xxx tags and the uri tag to
access either local socket, local secure port or local normal port. On
all three facilities OpenLDAP was listening, as sockstat(1) reported
positively.
Well, I also changed /etc/nsswitch.conf to look first for 'giles', the
nfor 'ldap' for group and passwords. I also have ACLs defined in slpad.conf.
The problem at the moment is, when nss_ldap running, login as root on
console takes several minutes (like a NIS server has gone away and I
thing nss_ldap does not reach its LDAP server so it is of the same
quality like a missing NIS). I tried to avoid this having 'files' prior
to 'ldap' in nsswitch.conf, but that does not work.
Logins from outside is impossible, I see a lot of error messages on
console nss_ldap can't contact it's OpenLDAP server.
When logged in on console, I can do a simple slapcat(1) and get a lot of
definitions, so tis shows a running and resping OpenLDAP server.
I feel seriously desperate because I don't know how to trace the
communication paths between the pam/nss clients and the OpenLDAP server.
At the beginning of setting up the environment, I followed strictly
suggestions and examples shown in the OpenLDAP tutorials from OpenLDAP
itself - but with no success! Other tutorials around the web targetting
mostly outdated environments (FreeBSD 5.1, older OpenLDAP versions or
strange Linux setups).
In my case, I expect some errors from the OpenLDAP server if a client
tries to access the server itself without having permissions granted
accessing, reading or even writing to the directory, but all I get is a
failure in connecting to the OpenLDAP server as it would not exists.
This is strange! maybe it is also a problem with the TLS/SLL facility,
but this should also be reported either by the client or the OpenLDAP
server itself. But nothing is shown so far reflecting a problem. Without
any SSL/TLS certifacte for encryption, I end up in the same strange
problem. Even SAMBA struggles when connecting to LDAP services - because
it also can not find the target.
So, I suspect some problems with FreeBSD 7.0-CURRENT. Is nobody out here
utilizing FBSD 7.0 in combination with OpenLDAP (most recent version
as taken from the ports in conjunction with pam_ldap/nss_ldap)?
Strange,
regards,
Oliver
Brian A. Seklecki wrote:
>
> There should be an nss_ldap.conf and pam_ldap.conf in /usr/local/etc .
> You need to set a variety of settings there. What do they look like?
>
> Remember: pkg_info -L pam_ldap nss_ldap!
>
> Also, not sure about the TCP FIN_2 issue -- probably just the usual
> shakes and bangs with -current. ~BAS
>
>
> On Fri, 28 Sep 2007, O. Hartmann wrote:
>
>> Thank you for responding.
>> So, I'll feel free reporting my bad luck. This is a reference page I
>> consulted for some hints, but without success:
>>
>> http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
>>
>>
>> First, OS ist the most recent FreeBSD 7.0.
>> OpenLDAP is openldap-server-2.3.38, standard config, no SASL support
>> or anything else apart from default
>> PAM_LDAP
>> NSS_LDAP
>>
>> I renamed cached.conf to nscd.conf as suggested (for your information).
>> In /etc/nsswitch.conf I changed
>> #
>> # nsswitch.conf(5) - name service switch configuration file
>> # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $
>> #
>> group: files ldap
>> group_compat: nis
>> hosts: files dns
>> networks: files
>> passwd: files ldap
>> passwd_compat: nis
>> shells: files
>> services: compat
>> services_compat: nis
>> protocols: files
>> rpc: files
>>
>> I also changed /etc/pam.d/sshd to this:
>>
>> #
>> # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
>> #
>> # PAM configuration for the "sshd" service
>> #
>>
>> # auth
>> auth sufficient pam_opie.so no_warn
>> no_fake_prompts
>> auth requisite pam_opieaccess.so no_warn
>> allow_local
>> #auth sufficient pam_krb5.so no_warn
>> try_first_pass
>> auth sufficient /usr/local/lib/pam_ldap.so no_warn
>> try_first_pass
>> auth sufficient pam_ssh.so no_warn
>> try_first_pass
>> auth required pam_unix.so no_warn
>> try_first_pass
>>
>> # account
>> account required pam_nologin.so
>> #account required pam_krb5.so
>> account required pam_login_access.so
>> account required pam_unix.so
>>
>> # session
>> #session optional pam_ssh.so
>> session required pam_permit.so
>>
>> # password
>> #password sufficient pam_krb5.so no_warn
>> try_first_pass
>> password required pam_unix.so no_warn
>> try_first_pass
>>
>> Both configuration files for nss_ldap and pam_ldap respective got
>> linked to /usr/localetc/openldap/ldap.conf, which looks like this:
>>
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> BASE dc=foo,dc=org
>> #URI ldapi:///
>> URI ldapi://%2fvar%2frun%2fopenldap%2fldapi/
>>
>> #SSL start_tls
>>
>> #SIZELIMIT 12
>> #TIMELIMIT 15
>> #DEREF never
>>
>> #TLS_CACERT #TLS_CERT #TLS_KEY #TLS_REQCERT
>> allow
>> #TLS_REQCERT demand
>> #TLS_CHECKPEER yes
>>
>> My /etc/rc.conf.local file has the following OpenLDAP specific entry:
>>
>> ###########################################################
>> ### OpenLDAP Server ###
>> ###########################################################
>> slapd_enable="YES"
>> #slapd_flags='-d 3 -4 -s 4 -h
>> "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"'
>> slapd_flags='-4 -s 4 -h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/
>> ldap://192.168.2.210 ldaps://192.168.2.210"'
>> slapd_sockets="/var/run/openldap/ldapi"
>>
>>
>> My OpenLDAP config file has SSL-certificates disabled.
>>
>> After the installation of nss_ldap the slapd server takes several
>> decades of seconds to start. But it starts well and after it has
>> initiated itself, I can do on the server a simple 'slapcat' and receive.
>>
>> But I can't access the LDAP server. Doing an 'id testuser' results in
>> 'id not found'.
>>
>> On the console, I receive massively errors like this:
>>
>> TCP: [127.0.0.1]:389 to [127.0.0.1]:63896 tcpflags 0x18<PUSH,ACK>;
>> tcp_do_segment: FIN_WAIT_2: Received data after socket was closed,
>> sending RST and removing tcpcb
>>
>> Well, I checked sockstat for a listening slapd and I found slapd
>> listening on both loopback, local NIC adn on both ports 389 and 636.
>>
>> So what is wrong ?
>>
>> Regards,
>> a desperate Oliver
>>
>>
>>
>>
>> Brian A. Seklecki wrote:
>>> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
>>> (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth),
>>> PHP,
>>> interactive shell, SFTP, etc.) can be tied into LDAP either directly or
>>> via PAM.
>>>
>>> As for password change, I don't know if anyone has a passwd(1) binary
>>> that properly changes the LDAP password attribute -- if there is and its
>>> out there, it requires ACL insanity. Like Oracle, you can either
>>> understand OpenLDAP ACLs, or you have real work to do >:}
>>>
>>> Check the nss_pam.conf and nss_ldap.conf configs in local/etc/*
>>> -- set to "debug 1" to get debugging info. Feel free to share
>>> error messages.
>>>
>>> ~BAS
>>>
>>> On Fri, 2007-09-28 at 10:54 +0000, O. Hartmann wrote:
>>>
>>>> Hello out there,
>>>> I have a problem with setting up an FreeBSD box as OpenLDAP server
>>>> with several services, like SAMBA, NFS.
>>>>
>>>> The intention is to have a FreeBSD 7.0 fileserver (NFS, SAMBA) also
>>>> acting as OpenLDAP server. So far. OpenLDAP is up and running, using
>>>> TLS/SSL certificate. SAMBA is also up and running - but it never
>>>> connects to the OpenLDAP server due to an connection error, but this
>>>> shouldn't be the subject here, I have more basic questions about
>>>> what FreeBSD already has and what to install additionally.
>>>>
>>>> I want customers to log in on the FBSD box, so they sould log in
>>>> (authenticated via OpenLDAP), change their passwords and shells and
>>>> those user specifica should be updated on the LDAP server.
>>>>
>>>> I already installed pam_ldap-port but ran into trouble because
>>>> FreeBSD's nss obviously does not have a tag 'ldap' to refere to an
>>>> OpenLDAP server (and not files).
>>>> Well, I'm confused and not very firm with OpenLDAP/PAM/NSS stuff,
>>>> especially if SSL/TLS come into play and I would like to ask those
>>>> herein administering those setups, especially within a hybrid
>>>> NFS/SAMBA fileservicing environment, where to find up to date
>>>> informationes/howto/tipps.
>>>>
>>>> Most websites and HowTo's I found were Linux related or, if related
>>>> to FreeBSD, outdated.
>>>>
>>>> Sorry beeing so unspecific, but the problem is complex (to me) so I
>>>> would better ask for those who are willing to help or give hints and
>>>> tips.
>>>>
>>>> Thanks in advance and for your patience,
>>>> Oliver
>>>>
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to
>>>> "freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> l8*
> -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> http://www.spiritual-machines.org/
>
> "Guilty? Yeah. But he knows it. I mean, you're guilty.
> You just don't know it. So who's really in jail?"
> ~Maynard James Keenan
>
More information about the freebsd-questions
mailing list