i have configured ldap client (ubuntu 20.04) with nss_ldap to connect on ldap server and accept users in a specific group, it seems that everything is working fine, the client can access the ldap server and ldap users can access the client machine. however i am receiving the following error message when the client connects to ldap server:
systemd-logind: nss_ldap: failed to bind to LDAP server ldap://[IP address]: Can't contact LDAP server
systemd-logind: nss_ldap: reconnecting to LDAP server...
systemd-logind: nss_ldap: could not connect to any LDAP server as cn=admin,dc=example,dc=com - Can't contact LDAP server
systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
and here is my configuration files:
/etc/ldap.conf
regarding that parameter (nss_initgroups_ignoreusers) is auto-generated.
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
uri ldap://[IP address]
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=example,dc=com
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5
nss_initgroups_ignoreusers _apt,backup,bin,clamav,daemon,fwupd-refresh,games,gnats,irc,landscape,list,lp,lxd,mail,man,messagebus,mysql,news,pollinate,proxy,root,sshd,sync,sys,syslog,systemd-coredump,systemd-network,systemd-resolve,systemd-timesync,tcpdump,tss,uucp,uuidd,www-data
/etc/ldap.secret --> contain the password.
/etc/nsswitch.conf
passwd: files ldap systemd
group: files ldap systemd
shadow: files ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
/etc/security/access.conf
added this line [ -:ALL EXCEPT root khloud (ldap-group) (admin) ubuntu:ALL EXCEPT LOCAL ]
/etc/pam.d/sshd --> uncomment the following line:
account required pam_access.so
Note:
i tested the connection also with ldapsearch and it works.
i tried to change in nsswitch.conf file or reinstalling nss_ldap client again but i still receiving the same error while everything is working right.
Related
I have purged a variety of packages in an effort to reinstall Samba and related DC AD from scratch.
Soon after, I receive this error at a prompt and am unable to login with my normally working local user credentials.
Fortunately, I was still logged in via SSH but even there I get the following error anytime I try to use the sudo command.
sudo: PAM authentication error: Module is unknown
Any thoughts on how to cure this? I have found another post in stackoverflow with a similar error but its resolution was of no value here.
This seemed to indicate a problem with the "sudo" module in /etc/pam.d/sudo but if you inspect the contents of /etc/pam.d/sudo you find there are 3 include statements in there:
#include common-auth
#include common-account
#include common-session-noninteractive
Solution:
In my case, if I restored common-account to the values found in any default Linux installation, the problem went away.
Further investigation showed me that since installing I had installed Samba, the only 4 files that changed in the /etc/pam.d/ folder since the original installation was the updated common-* files. So I went ahead and restored those 4 common-* files to their original version from any similar Linux installation even though the problem was already solved by just restoring the common-account file.
Here is a copy of the content of common-account for Ubuntu 18.04 - 20.04 and possibly more
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package
I am trying to run OpenLDAP (2.4.44 on RedHat 7.6) as a client against an existing LDAP server with TLS. This is working well - too well, actually. It looks to me as if OpenLDAP accepts any server certificate, instead of validating it against the CAs I provided.
Here is my ldap.conf file:
TLS_CACERT /etc/openldap/cacerts/ldap-2019.pem
TLS_REQCERT demand
URI ldaps://ldap.mydomain.com/
BASE ou=people,dc=mydomain,dc=com
# Some optimizations suggested by
# https://sourceforge.net/p/xcat/wiki/Setting_up_LDAP_in_xCAT/
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
What I want to accomplish is of course that OpenLDAP validates the certificate for ldaps://ldap.mydomain.com against the list of CAs in TLS_CACERT.
But in reality, no matter what I put into the TLS_CACERT file, openldap seems to connect successfully, just as long as it is a valid PEM file.
What am I missing? Is there a second list of CAs that OpenLDAP consults? I also removed the CAs in /etc/pki/tls, just in case.
More details:
ldapsearch -x -uid=somename fails if I delete the file I specified in TLS_CACERT. It also fails if TLS_CACERT is not a valid PEM file. This is of course expected behavior when the client cannot validate a TLS certificate:
ldapsearch -x uid=somename
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
But if I put a completely nonsensical certificate into the TLS_CACERT file, ldapsearch will return a result as if the server's certificate was valid.
ldapsearch -x uid=somename
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=mydomain,dc=com> (default) with scope subtree
# filter: uid=somename
# requesting: ALL
#
# somename, People, mydomain.com
dn: uid=somename,ou=People,dc=mydomain,dc=com
...
For example, I tried using a certificate for www.google.com as a TLS_CACERT. I would have expected this connection to fail with the same "Can't contact LDAP server" error.
Update:
I found the cause but not the solution. OpenLDAP uses the certificate bundle in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Renaming this file causes ldapsearch to behave as I expected, but of course that is not an acceptable solution since this is a systemwide file, not just for OpenLDAP.
So my new question is: how do I prevent OpenLDAP from using this file?
Update 2:
For clarification, this is on RedHat 7.6, and OpenLDAP 2.4.44. I assume that using the systemwide CA bundle is a RedHat modification to the stock OpenLDAP.
I am getting the following error in debug mode
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: tuser
[mschap] Client is using MS-CHAPv2 for tuser, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I am pretty sure this is the issue. I am using OpenDJ as the backend ldap server and using freeradius with ldap. Please tell me if I would be missing anything or if there is a specific configuration I have to make. There is nothing network wise that is blocking ports. Note: I am using a Mac to authenticate.
Can you login locally on freeradius server with LDAP creds?
radtest $login $pass 127.0.0.1 10 $secret
If yes, you should probably stop freeradius service and run "freeradius -X" which show you debug from the server side.
Paste your sites-enabled/default config, do you have ms-chap uncommented there?
When I'm trying to start Sonarqube 5.1.2 directly after restart of my computer, it fails and I get the following message in the log-file. If I'm trying to start Sonarqube manual during the computer is already running, it starts without any problem. So I think the JVM isn't started yet, when I'm trying to start Sonarqube after restart.
Launching a JVM...
Startup failed: Timed out waiting for a signal from the JVM.
JVM did not exit on request, terminated
JVM Restarts disabled. Shutting down.
<-- Wrapper Stopped
I already changed the wrapper.config, but it didn't help:
# Path to JVM executable. By default it must be available in PATH.
# Can be an absolute path, for example:
#wrapper.java.command=/path/to/my/jdk/bin/java
wrapper.java.command=java
#
# DO NOT EDIT THE FOLLOWING SECTIONS
#
#********************************************************************
# Wrapper Java
#********************************************************************
wrapper.java.additional.1=-Djava.awt.headless=true
wrapper.java.mainclass=org.tanukisoftware.wrapper.WrapperSimpleApp
wrapper.java.classpath.1=../../lib/jsw/*.jar
wrapper.java.classpath.2=../../lib/*.jar
wrapper.java.library.path.1=./lib
wrapper.app.parameter.1=org.sonar.application.App
wrapper.java.initmemory=3
# Xmx can't be set to a lower value because of compatibility with Java 6
wrapper.java.maxmemory=32
#********************************************************************
# Wrapper Logs
#********************************************************************
wrapper.console.format=PM
wrapper.console.loglevel=INFO
wrapper.logfile=../../logs/sonar.log
wrapper.logfile.format=M
wrapper.logfile.loglevel=INFO
# Maximum size that the log file will be allowed to grow to before
# the log is rolled. Size is specified in bytes. The default value
# of 0, disables log rolling. May abbreviate with the 'k' (kb) or
# 'm' (mb) suffix. For example: 10m = 10 megabytes.
wrapper.logfile.maxsize=1mb
# Maximum number of rolled log files which will be allowed before old
# files are deleted. The default value of 0 implies no limit.
wrapper.logfile.maxfiles=20
# Log Level for sys/event log output. (See docs for log levels)
wrapper.syslog.loglevel=INFO
#********************************************************************
# Wrapper Windows Properties
#********************************************************************
# Title to use when running as a console
wrapper.console.title=SonarQube
# Disallow start of multiple instances of an application at the same time on Windows
wrapper.single_invocation=true
#********************************************************************
# Wrapper Windows NT/2000/XP Service Properties
#********************************************************************
# WARNING - Do not modify any of these properties when an application
# using this configuration file has been installed as a service.
# Please uninstall the service before modifying this section. The
# service can then be reinstalled.
# Name of the service
wrapper.ntservice.name=SonarQube
# Display name of the service
wrapper.ntservice.displayname=SonarQube
# Description of the service
wrapper.ntservice.description=SonarQube
# Service dependencies. Add dependencies as needed starting from 1
wrapper.ntservice.dependency.1=
# Mode in which the service is installed. AUTO_START or DEMAND_START
wrapper.ntservice.starttype=AUTO_START
# Allow the service to interact with the desktop.
wrapper.ntservice.interactive=false
#********************************************************************
# Forking Properties
#********************************************************************
wrapper.disable_restarts=TRUE
wrapper.ping.timeout=200
wrapper.shutdown.timeout=3000
wrapper.jvm_exit.timeout=3000
sonar.properties:
# This file must contain only ISO 8859-1 characters.
# See http://docs.oracle.com/javase/1.5.0/docs/api/java/util/Properties.html#load(java.io.InputStream)
#
# Property values can:
# - reference an environment variable, for example sonar.jdbc.url= ${env:SONAR_JDBC_URL}
# - be encrypted. See http://redirect.sonarsource.com/doc/settings-encryption.html
---------------------------------------------------------------------------------------------------
#Sonar log level
sonar.log.level=TRACE
#--------------------------------------------------------------------------------------------------
# DATABASE
#
# IMPORTANT: the embedded H2 database is used by default. It is recommended for tests but not for
# production use. Supported databases are MySQL, Oracle, PostgreSQL and Microsoft SQLServer.
# User credentials.
# Permissions to create tables, indices and triggers must be granted to JDBC user.
# The schema must be created first.
#sonar.jdbc.username=sonar
#sonar.jdbc.password=sonar
#----- Embedded Database (default)
# It does not accept connections from remote hosts, so the
# server and the analyzers must be executed on the same host.
#sonar.jdbc.url=jdbc:h2:tcp://localhost:9092/sonar
# H2 embedded database server listening port, defaults to 9092
#sonar.embeddedDatabase.port=9092
#----- MySQL 5.x
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance
#----- Oracle 10g/11g
# - Only thin client is supported
# - Only versions 11.2.* of Oracle JDBC driver are supported, even if connecting to lower Oracle versions.
# - The JDBC driver must be copied into the directory extensions/jdbc-driver/oracle/
# - If you need to set the schema, please refer to http://jira.codehaus.org/browse/SONAR-5000
#sonar.jdbc.url=jdbc:oracle:thin:#localhost/XE
#----- PostgreSQL 8.x/9.x
# If you don't use the schema named "public", please refer to http://jira.codehaus.org/browse/SONAR-5000
#sonar.jdbc.url=jdbc:postgresql://localhost/sonar
#----- Microsoft SQLServer 2005/2008
# Only the distributed jTDS driver is supported.
#sonar.jdbc.url=jdbc:jtds:sqlserver://localhost/sonar;SelectMethod=Cursor
#----- Connection pool settings
# The maximum number of active connections that can be allocated
# at the same time, or negative for no limit.
#sonar.jdbc.maxActive=50
# The maximum number of connections that can remain idle in the
# pool, without extra ones being released, or negative for no limit.
#sonar.jdbc.maxIdle=5
# The minimum number of connections that can remain idle in the pool,
# without extra ones being created, or zero to create none.
#sonar.jdbc.minIdle=2
# The maximum number of milliseconds that the pool will wait (when there
# are no available connections) for a connection to be returned before
# throwing an exception, or <= 0 to wait indefinitely.
#sonar.jdbc.maxWait=5000
#sonar.jdbc.minEvictableIdleTimeMillis=600000
#sonar.jdbc.timeBetweenEvictionRunsMillis=30000
#--------------------------------------------------------------------------------------------------
# WEB SERVER
# Web server is executed in a dedicated Java process. By default heap size is 768Mb.
# Use the following property to customize JVM options.
# Recommendations:
#
# The HotSpot Server VM is recommended. The property -server should be added if server mode
# is not enabled by default on your environment: http://docs.oracle.com/javase/7/docs/technotes/guides/vm/server-class.html
#
# Set min and max memory (respectively -Xms and -Xmx) to the same value to prevent heap
# from resizing at runtime.
#
#sonar.web.javaOpts=-Xmx768m -XX:MaxPermSize=160m -XX:+HeapDumpOnOutOfMemoryError
sonar.web.javaOpts=-Xmx1536m -XX:MaxPermSize=160m -XX:+HeapDumpOnOutOfMemoryError -server -Dfile.encoding=UTF-8 -Djruby.compile.invokedynamic=false
# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.web.javaAdditionalOpts=
# Binding IP address. For servers with more than one IP address, this property specifies which
# address will be used for listening on the specified ports.
# By default, ports will be used on all IP addresses associated with the server.
sonar.web.host=
# Web context. When set, it must start with forward slash (for example /sonarqube).
# The default value is root context (empty value).
#sonar.web.context=
# TCP port for incoming HTTP connections. Disabled when value is -1.
sonar.web.port=9000
# TCP port for incoming HTTPS connections. Disabled when value is -1 (default).
#sonar.web.https.port=-1
# HTTPS - the alias used to for the server certificate in the keystore.
# If not specified the first key read in the keystore is used.
#sonar.web.https.keyAlias=
# HTTPS - the password used to access the server certificate from the
# specified keystore file. The default value is "changeit".
#sonar.web.https.keyPass=changeit
# HTTPS - the pathname of the keystore file where is stored the server certificate.
# By default, the pathname is the file ".keystore" in the user home.
# If keystoreType doesn't need a file use empty value.
#sonar.web.https.keystoreFile=
# HTTPS - the password used to access the specified keystore file. The default
# value is the value of sonar.web.https.keyPass.
#sonar.web.https.keystorePass=
# HTTPS - the type of keystore file to be used for the server certificate.
# The default value is JKS (Java KeyStore).
#sonar.web.https.keystoreType=JKS
# HTTPS - the name of the keystore provider to be used for the server certificate.
# If not specified, the list of registered providers is traversed in preference order
# and the first provider that supports the keystore type is used (see sonar.web.https.keystoreType).
#sonar.web.https.keystoreProvider=
# HTTPS - the pathname of the truststore file which contains trusted certificate authorities.
# By default, this would be the cacerts file in your JRE.
# If truststoreFile doesn't need a file use empty value.
#sonar.web.https.truststoreFile=
# HTTPS - the password used to access the specified truststore file.
#sonar.web.https.truststorePass=
# HTTPS - the type of truststore file to be used.
# The default value is JKS (Java KeyStore).
#sonar.web.https.truststoreType=JKS
# HTTPS - the name of the truststore provider to be used for the server certificate.
# If not specified, the list of registered providers is traversed in preference order
# and the first provider that supports the truststore type is used (see sonar.web.https.truststoreType).
#sonar.web.https.truststoreProvider=
# HTTPS - whether to enable client certificate authentication.
# The default is false (client certificates disabled).
# Other possible values are 'want' (certificates will be requested, but not required),
# and 'true' (certificates are required).
#sonar.web.https.clientAuth=false
# The maximum number of connections that the server will accept and process at any given time.
# When this number has been reached, the server will not accept any more connections until
# the number of connections falls below this value. The operating system may still accept connections
# based on the sonar.web.connections.acceptCount property. The default value is 50 for each
# enabled connector.
#sonar.web.http.maxThreads=50
#sonar.web.https.maxThreads=50
# The minimum number of threads always kept running. The default value is 5 for each
# enabled connector.
#sonar.web.http.minThreads=5
#sonar.web.https.minThreads=5
# The maximum queue length for incoming connection requests when all possible request processing
# threads are in use. Any requests received when the queue is full will be refused.
# The default value is 25 for each enabled connector.
#sonar.web.http.acceptCount=25
#sonar.web.https.acceptCount=25
# Access logs are generated in the file logs/access.log. This file is rolled over when it's 5Mb.
# An archive of 3 files is kept in the same directory.
# Access logs are enabled by default.
#sonar.web.accessLogs.enable=true
# TCP port for incoming AJP connections. Disabled if value is -1. Disabled by default.
#sonar.ajp.port=-1
#--------------------------------------------------------------------------------------------------
# ELASTICSEARCH
# Elasticsearch is used to facilitate fast and accurate information retrieval.
# It is executed in a dedicated Java process.
# JVM options of Elasticsearch process
# Recommendations:
#
# Use HotSpot Server VM. The property -server should be added if server mode
# is not enabled by default on your environment: http://docs.oracle.com/javase/7/docs/technotes/guides/vm/server-class.html
#
# Set min and max memory (respectively -Xms and -Xmx) to the same value to prevent heap
# from resizing at runtime.
#
#sonar.search.javaOpts=-Xmx1G -Xms256m -Xss256k -Djava.net.preferIPv4Stack=true \
# -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 \
# -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError
# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.search.javaAdditionalOpts=
# Elasticsearch port. Default is 9001. Use 0 to get a free port.
# This port must be private and must not be exposed to the Internet.
#sonar.search.port=9001
#--------------------------------------------------------------------------------------------------
# UPDATE CENTER
# Update Center requires an internet connection to request http://update.sonarsource.org
# It is enabled by default.
sonar.updatecenter.activate=true
# HTTP proxy (default none)
http.proxyHost=
http.proxyPort=
# NT domain name if NTLM proxy is used
#http.auth.ntlm.domain=
# SOCKS proxy (default none)
#socksProxyHost=
#socksProxyPort=
# proxy authentication. The 2 following properties are used for HTTP and SOCKS proxies.
#http.proxyUser=
#http.proxyPassword=
#--------------------------------------------------------------------------------------------------
# LOGGING
# Level of information displayed in the logs: NONE (default), BASIC (functional information)
# and FULL (functional and technical details)
sonar.log.profilingLevel=FULL
# Path to log files. Can be absolute or relative to installation directory.
# Default is <installation home>/logs
#sonar.path.logs=logs
#--------------------------------------------------------------------------------------------------
# OTHERS
# Delay in seconds between processing of notification queue. Default is 60 seconds.
#sonar.notifications.delay=60
# Paths to persistent data files (embedded database and search index) and temporary files.
# Can be absolute or relative to installation directory.
# Defaults are respectively <installation home>/data and <installation home>/temp
#sonar.path.data=data
#sonar.path.temp=temp
#--------------------------------------------------------------------------------------------------
# DEVELOPMENT - only for developers
# The following properties MUST NOT be used in production environments.
# Dev mode allows to reload web sources on changes and to restart server when new versions
# of plugins are deployed.
#sonar.web.dev=false
# Path to webapp sources for hot-reloading of Ruby on Rails, JS and CSS (only core,
# plugins not supported).
#sonar.web.dev.sources=/path/to/server/sonar-web/src/main/webapp
# Uncomment to enable the Elasticsearch HTTP connector, so that ES can be directly requested through
# http://lmenezes.com/elasticsearch-kopf/?location=http://localhost:9010
#sonar.search.httpPort=9010
#---------------------------------------------------------------------------------
# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true
sonar.authenticator.createUsers=true
sonar.security.updateUserAttributes=true
sonar.authenticator.downcase=true
sonar.security.localUsers=
# List the different servers
ldap.servers=ww007
#,in002
# Configure
ldap.ww007.url=
ldap.ww007.authentication=simple
ldap.ww007.bindDn=
ldap.ww007.bindPassword=%qcL!XV&G8R4X_2Bm7wG%U
ldap.ww007.user.baseDn=
ldap.ww007.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.ww007.group.baseDn=CN=
ldap.ww007.group.request=(&(objectClass=group)(member={dn}))
#------------------------------------------------------------------------------------
#exclusion
sonar.exclusions=**/*.doc,**/*.docx,**/*.ipch
Has anybody an suggestion how to fix this issue?
Open Task Manager Ctrl + Shift + Esc
Go to details
Search for java.exe and Terminate it with End Task
Note: There might be more than one java.exe, make sure you terminate all
Start the SonarQube
Mac: Open Ldap
I am new to Open LDAP, i google it and found that max OS comes with default open ldap installed.
I followed this tutorial MAC Ldap tutorial
Following is my slapd.conf
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}xEYpp/gcd4Mmf6j756LX4kBjSyYyZFz8
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /private/var/db/openldap/openldap-data
# Indices to maintain
index objectClass eq
Now i am using Jxplorere as a client.
I tried following credentials, i don't know what will be user name so i assumed like other apps may be default username is root. and password i used was which i generated.
when i tried to login got following error.
any help is appreciated.
The BaseDN is the suffix, and the username is the rootDN.