OpenLDAP, nss_ldap, pam_ldap & FreeBSD

Paolo Pisati flag a gufi.org
Dom 29 Lug 2007 21:43:04 CEST


Ciao ragazzi,

sto cercando di integrare LDAP in un ambiente FreeBSD con l'obbiettivo
di gestire da remoto (shell, home, uid&gid, accesso ssh, etcetc) tutta
una serie di macchine.

Per cominciare a sperimentare un po' con LDAP, ho deciso di
installare tutto (OpenLDAP, nss_ldap e pam_ldap) sulla mia macchina
locale e di provare l'accesso via ssh in loopback.

Il server LDAP e' configurato nel seguente modo:

/usr/local/etc/openldap/slapd.conf:
-----------------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

database        bdb
suffix          "dc=test,dc=org"
rootdn          "cn=Manager,dc=test,dc=org"
rootpw          {SSHA}$PWD
directory       /var/db/openldap-data
index           objectClass     eq
index           uid             pres,eq,sub

la parte client invece ha questa configurazione:

/usr/local/etc/ldap.conf:
-------------------------
host 127.0.0.1
base dc=test,dc=org
port 389

Inizialmente il db e' stato popolato in questo modo:

test.ldif:
----------
dn: dc=test,dc=org
dc: test
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: test.org
structuralObjectClass: domain

dn:ou=groups, dc=test, dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit

dn:ou=people, dc=test, dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit

dn: cn=StupidTest User, ou=people, dc=test, dc=org
cn: StupidTest User
sn: Dummy
objectclass: top
objectclass: person
objectclass: posixAccount
objectclass: shadowAccount
uid:testuser
userpassword:{SSHA}GmbwsRvJugoiT5NIIJ2bk+5YVfWMUVa1
uidnumber:1666
gidnumber:1666
gecos:TestUser
loginShell:/bin/csh
homeDirectory: /home/test

dn: cn=test, ou=groups, dc=test, dc=org
objectclass: top
objectclass: posixGroup
cn: test
gidnumber: 1666
memberuid: test

e la macchina FreeBSD e' stata modificata nel seguente
modo:

etc/pam.d/sshd:
----------------
piso a ferret:~ >grep ldap /etc/pam.d/sshd
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
try_first_pass
account         sufficient      /usr/local/lib/pam_ldap.so
password        sufficient      /usr/local/lib/pam_ldap.so

/etc/nsswitch.conf:
-------------------
piso a ferret:~ >grep ldap /etc/nsswitch.conf
group: files ldap
passwd: files ldap

/etc/ssh/sshd_config:
---------------------
piso a ferret:~ >grep PAM /etc/ssh/sshd_config
# Change to no to disable PAM authentication
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
UsePAM yes
piso a ferret:~ >

Quindi, ho provato a loggarmi via ssh utilizzando l'utente definito
in LDAP:

piso a ferret:~ >ssh testuser a localhost
Password:
pam_unix: pam_sm_authenticate: UNIX authentication refused


Password:

--------------------------------------------------------------------------

e questo e' il log sshd:

auth.log:
---------
Jul 25 11:11:00 ferret sshd[46141]: Invalid user testuser from 127.0.0.1
Jul 25 11:11:01 ferret sshd[46141]: Failed none for invalid user testuser
from 127.0.0.1
port 52140 ssh2
Jul 25 11:11:06 ferret sshd[46143]: pam_ldap: error trying to bind as user
"cn=StupidTest
User,ou=people,dc=test,dc=org" (Invalid credentials)
Jul 25 11:11:06 ferret sshd[46141]: Failed keyboard-interactive/pam for
invalid user
testuser from 127.0.0.1 port 52140 ssh2
Jul 25 11:11:11 ferret sshd[46144]: pam_ldap: error trying to bind as user
"cn=StupidTest
User,ou=people,dc=test,dc=org" (Invalid credentials)
Jul 25 11:11:11 ferret sshd[46141]: Failed keyboard-interactive/pam for
invalid user
testuser from 127.0.0.1 port 52140 ssh2

Al contrario, se eseguo una ricerca sul db LDAP via ldapsearch, la
cosa sembra funzionare:

piso a ferret:~ >ldapsearch -x -b "dc=test,dc=org" '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.org
dn: dc=test,dc=org
dc: test
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: test.org

# groups, test.org
dn: ou=groups,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

# people, test.org
dn: ou=people,dc=test,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people

# StupidTest User, people, test.org
dn: cn=StupidTest User,ou=people,dc=test,dc=org
cn: StupidTest User
sn: Dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
uidNumber: 1666
gidNumber: 1666
gecos: TestUser
loginShell: /bin/csh
homeDirectory: /home/test
userPassword:: e1NTSEF9Qm03dXZlanNhcW5OYjMzZjlhMXpmSm5qWjlad25RWXk=

# test, groups, test.org
dn: cn=test,ou=groups,dc=test,dc=org
objectClass: top
objectClass: posixGroup
cn: test
gidNumber: 1666
memberUid: test
# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5
piso a ferret:~ >

Come premesso questo e' il mio primo incontro con LDAP quindi avro'
commesso di sicuro qualche errore grossolano, ma i documenti
che ho seguito finora [1, 2, 3, ...] non mi sono stati di molto
aiuto, quindi confido in voi... :)

-- 
bye,

P.

[1] http://www.openldap.org/doc/admin23/quickstart.html
[2]
http://www.cultdeadsheep.org/FreeBSD/docs/Quick_and_dirty_FreeBSD_5_x_and_nss_ldap_mini-HOWTO.html
[3]
http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html
[...] e molti altri...


Maggiori informazioni sulla lista esperti