I'm trying to enable LDAP authentication on Ubuntu using the guides below:
https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/
https://help.ubuntu.com/community/LDAPClientAuthentication
https://www.youtube.com/watch?v=l0e8rG0mku8
Nothing seems to work so far. ldapsearch works, but I can't login or test with "id" and "getent" commands.
The only difference from the manuals is that I don't have ldap admin account and do not specify it, but I don't think this should break the rest.
Appreciate any suggestions on how to troubleshoot PAM and ldap client
cat /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
. . .
cat /etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
sudo nano /etc/pam.d/common-auth
auth required pam_group.so use_first_pass
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
sudo nano /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha$
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_$
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
$ ldapsearch -x -H ldap://ldap.server.com -b ou=employee,o=test,c=an -LLL "(alias=test_username)" cn
dn: cn=Test User 5142,ou=employee,o=slb,c=an
cn: Test User
cn: Test User 5142
$su - test_username
No passwd entry for user 'test_username'
$ getent passwd test_username
$
From the provided information, it is seen that your LDAP server works properly, but it is not the case for the NSS module, which is your LDAP client. You should check that /etc/ldap.conf contains the correct search base and LDAP server URI. Alternatively, you can run sudo dpkg-reconfigure ldap-auth-config for interactive editing.
PAM seems to be configured correctly. If not, it always can be fixed by interactive utility pam-auth-update.
Additionally, all the guides that you follow suggest you to install libnss-ldap implementation. If you are going to use the desktop version of Ubuntu, be aware that there are known issues between systemd-logind and libnss-ldap. The solution is to use the newer package libnss-ldapd. See this answer for details.
Related
I am trying to restrict SSH access to server.
I started by configuring access.conf
cat /etc/security/access.conf | grep -v "#"
+:root (admins):ALL
+:root:LOCAL
+:root:192.168.8.5
+:linuxuser:192.168.8.11
+:linuxuser:192.168.9.12
-:ALL:ALL
Also, I added the following line to login.
account required pam_access.so
cat /etc/pam.d/login
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# To SSH access restricted I added the bellow line.
account required pam_access.so
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
Unfortunately, it's still possible to ssh from other IP addresses.
who
linuxuserpts/1 2022-10-11 12:50 (192.168.8.20)
What did I do wrong? Perhaps I missed something? Any advice is welcome!
I run Centos9.
Later edit: I added
UsePAM yes
to sshd_config
Still doesnt work.
Thank You!
I have implemented 2 factor authentication on a remote server using google-authenticator. Login from the web console succeeds after password and single verification code queries. But login from ssh asks for verification code 2 times. Login is successful only if 2 successive totp codes are provided.
I have used ssh -v <user#remotehost> to verify that ssh publickey authentication is successful before the first query for verification code is made.
Config file /etc/ssh/sshd_config has the following settings:
# to restrict root login via ssh
PasswordAuthentication no
PermitRootLogin no
# to enable login via 2FA
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
Config file /etc/pam.d/sshd has the following settings
# Standard Un*x authentication.
# #include common-auth
# for 2FA auth
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Commenting out auth required pam_google_authenticator.so nullok in /etc/pam.d/sshd removes the duplicate challenge.
Running google_authenticator adds the pam module to /etc/pam.d/common-session making it unnecessary to add it to ssh also.
I am new to working with LDAP, and my ultimate goal is to offer LDAP single sign-on in a web app. In order to achieve this, I'm trying to run ldapwhoami, but I'm running into issues. I am able to run other commands, like ldapsearch and ldapadd.
I'm running OpenLdap on Mac OS High Sierra.
My relevant slapd.conf looks like this:
access to *
by self write
by * read
by anonymous auth
database ldif
suffix "dc=test,dc=com"
directory openldap-data
rootdn "cn=admin,dc=test,dc=com"
## rootpw = secret
rootpw {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
I then added a user with ldapadd -x -w secret -f shanson.ldif, where shanson.ldif looks like:
dn: cn=shanson,dc=test,dc=com
objectClass: inetOrgPerson
sn: Hanson
uid: shanson
cn: shanson
userPassword: secret
I am successfully able to search for and find this new user with ldapsearch -x "(cn=shanson)".
Now, I am trying to verify the user's credentials using ldapwhoami, and I keep getting an error:
> ldapwhoami -x -D cn=shanson,dc=test,dc=com -w secret
ldap_bind: Invalid credentials (49)
The same operation with my root admin user succeeds:
> ldapwhoami -x -D cn=admin,dc=test,dc=com -w secret
dn:cn=admin,dc=test,dc=com
I'm sure I'm just making a simple mistake or not understanding what I'm doing, but I don't really know where else to look right now for answers. Thanks!
It seems to have had something to do with the plain text password I set up. I installed Jxplorer and manually updated my user's password and hashed it with MD5, and now the ldapwhoami command works. If I set the password as plain text in JXplorer, ldapwhoami still does not work. Beyond that, I'm not entirely sure what I was doing wrong.
For me, my dn was wrong.
I did an ldapsearch with admin credentials to get the dn: uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
Then I did an ldapwhoami -x -D "uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx" -w secret and it worked fine.
I many times integrate authentication in application based on LDAP.
I just put configs: URL (like ldap.company.com:389), search base (like dc=europe,dc=com) and query pattern (like (uid=$)) to libraries and frameworks.
But I always wonder what really do libraries and frameworks to actually authenticate user by supplied login/password.
Seems that LDAP has three type of authentication itself - anonymous, plain password and SASL. So sometimes in order to authenticate you need application login/password to get access to LDAP service.
I am not sure that this blog answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :
Get a connection to the LDAP server.
Bind as the application user.
Search for the DN (distinguished name) of the user to be authenticated.
Bind as user to be authenticated using DN from step 3.
Is that right?
That may be summarized as (as experiment in command line):
$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
-s sub -b 'dc=europe,dc=com' "uid=XYZ"
Are there any other authentication schema like using specific DN attribute value as user secret? Or userPassword is that attribute itself?
Your four steps are basically correct. SASL is an External Authentication Mechanism where Authentication is "handed" off to the SASL Mechanism. RFC 4513 spells out Authentication and Security Mechanisms.
-jim
I used Zimbra for many year, and a few web application use Zimbra account via LDAP for authentication.
Now I have a new wireless and I want to use Zimbra for authentications. I installed one new machine (opensuse) with freeradius and testing it (this is my first freeradius installation).
From command line radtest (for LDAP username/password) return Access-Accept
For wireless I used Ubquiti Unifi controller 3.1.10. When I start controller I get error on freeradius side:
ERROR: No authenitcation method (Auth-Type) found for the request: Rejecting the user
But, I did not send any user from unifi controller. I entered only ip-address, port and client security code
OK, if I try to connect on wifi from my device, I get prompt for username/password, but on freeradius server I get error:
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: myusername
[mschap] Told to do MS-CHAPv2 for myusername with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I tried to create certificate but without success. However, I only want to use Zimbra accounts, I do not need any certificate.
I tried to ask google for help, and read many documentation, but without success.
The Problem here is the lake of Compatibility:
you need to configure Samba for LDAP:
This is a good site to help you with this:
http://www.server-world.info/en/note?os=CentOS_6&p=samba&f=4
# you have only to config the first part of the configuration written in this site
then you need to add a user to the LDAP DataBase with sambaSamPassword:
This is the steps you have to do to add the Samba user to the LDAP:
FIRST create a new file "user1.ldif":
#vi user1.ldif
dn: uid=Student,ou=students,dc=server,dc=world #change it by your domain
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
uid: Student
sn: Student
givenName: Student
cn: Student
displayName: Student
uidNumber: 500
gidNumber: 500
userPassword: {crypt}$6$XPB9dlcHd5v/zKVq$Aem0FSKCIj.6hDD/I3yKdn3Zh5xmyXoo.vMldIQ/8NLgSGSnzbIkMGXu.OrzDRDgfbyByH5/qvuKBSYhXYN/30 #any crypted Password
sambaNTPassword: 38E85AD5FA5BAA20CA1BA1AF779445BD #any md4 password
gecos: Student
loginShell: /bin/bash
homeDirectory: /home/Student
sambasid: S-1-5-21-3090807595-3330218014-3090303682-500 (finished with the user ID)
THEN you add this user the ldap:
#ldapadd -x -D cn=admin,dc=server,dc=world-W -f user1.ldif
This has worked for me I hope it will work for you too.
How are stored your passwords in your Zimbra LDAP ? I'm using a LDAP for freeradius authentification and I had to store my passwords in cleartext inside the LDAP else the authentification match was failing.