LDAP implementation - ldap

I want to implementation centralize auth using AWS Simple AD (samba). The client machine is linux based (ubuntu and amazon linux). Ony my ldap, i just creat one user (cn=test) under dc=ldap,dc=test,dc=io.
I am using sssd as the auth client from my linux machine. And here my /etc/sssd/sssd.conf :
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.test.io
ldap_default_bind_dn = dc=ldap,dc=test,dc=io
ldap_default_authtok = password01
ldap_default_authtok_type = password
ldap_search_base = dc=ldap,dc=test,dc=io
ldap_user_search_base = dc=ldap,dc=test,dc=io
ldap_group_search_base = odc=ldap,dc=test,dc=io
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
override_shell = /bin/bash
cache_credentials = true
enumerate = true
But, it looks like not working from the client, i didn't get the ldap user from my client (i execute this getent passwd).
And i got this error:
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
nss_ldap: could not search LDAP server - Server is unavailable
No passwd entry for user 'test'
Here is my reference to configure the sssd client enter link description here
Any suggestion for this case ?
Thanks

The error message you are getting is from nss_ldap, not from nss_sss. So I assume in /etc/nsswitch.conf, you configured the ldap module either on its own or before sss. If the user information is to be returned by sssd then use the sss nsswich module.
I would also recommend to not use enumerate=true unless your directory is quite small.

In /etc/nsswitch.conf be sure to have:
passwd: files sss
shadow: files sss
groups: files sss
And of course in the stack of the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac you have to use the pam_sss.so library.

Related

How to authenticate the sparql connectivity to fuseki

I am using fuseki 2.4 and have set a basic authentication in shiro.ini, sharing the contents of the current shiro.ini file below. Once after setting the credentials and restart fuseki service, when I try to make a connection to fuseki using direct fuseki endpoint ("/$/datasets/"), I am getting the authentication error as expected. If Iam trying to connect to fuseki data using a sparql, I am expecting the same authentication error as I have set the credentials in shiro.ini and haven't done authentication before making sparql call, but that's not happening and the connection is successful just like as in the case of no authentication.
Expectation here is, the respective sparql connection shouldn't happen as I have set the authentication in shiro.ini. Can anyone please help me with this?
Contents in shiro.ini:
[main]
# Development
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter
[users]
# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
admin=password123
[roles]
[urls]
## Control functions open to anyone
/$/status = anon
/$/ping = anon
## and the rest are restricted to localhost.
##/$/** = localhostFilter
## If you want simple, basic authentication user/password
## on the operations,
## 1 - set a better password in [users] above.
## 2 - comment out the "/$/** = localhost" line and use:
/$/** = authcBasic,user[admin]
## or to allow any access.
##/$/** = anon
# Everything else
/**=anon```

Update Kerberos Cache

I have to connect to different devices simultaneously using kerberos authenication. At present using default cache(File) to store kerberos ticket which stores only one ticket at a time. But for my requirement I have to store multiple tickets. Please suggest how to update cache which stores multiple tickets and how to access them. At present kerberos tickets are accessed using kinit.
Please share the detailed steps to update the cache to handle above requirement. I am new to this space your help is much appreciated.
Below is the sample krb5.conf configuration file. By default File cache is used.
{ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
}
Updating more information on my requirement, for example under single active directory there are 10 windows devices all share same domain name , username and password. From this network(say from one linux machine) I want access these devices using Kerberos authentication as different user but not as root user. Currently Kerberos uses default cache FILE which stores only one ticket a time. But for my requirement I want to maintain all 10 tickets and access them not as a root user.With FILE cache and as different user I am able to access device using Kerberos authentication. My application is running in multi threaded environment. Please share the detailed solution I am new to this space.

Gerrit 2.11.4 LDAP configuration of accountBase and groupBase fields causing log-in failures

Can someone point me to documentation and/or describe what the LDAP configuration options mean for gerrit's configuration?
Ex: ou= and dc= etc.
I found these details on google's site about ldap configuration for accountBase and groupBase however it too lacks details about what the options/parameters are and what their values should be based on.
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
Luckily I blindly copied a co-worker's gerrit server configuration, he's using version 2.1.x. Initially I thought his options were different due to version differences, but then I tried adding his extra fields and my unique ldap account worked with the additional 'ou=' and additional 'dc=' parameters. Error, bad-config and good-config below.
Note: Our company has a single ldap server, but my co-worker's gerrit has a separate ldap log-in than mine. I didn't copy his log-in to get mine working, it was simply the accountBase and groupBase options that made the difference.
Error:
cat log/error_log | tail -n 1
[2015-12-16 17:21:24,144] INFO com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'cxxxxt\myaccount' failed to sign in: No such user: cxxxxt\myaccount
Bad config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#crcxxxxt.rxxxxxxxxxxxxxs.com
accountBase = DC=rxxxxxxxxxxxxxs,DC=com
groupBase = DC=rxxxxxxxxxxxxxs,DC=com
Good config:
[ldap]
server = ldap://crcxxxxt.rxxxxxxxxxxxxxs.com
username = ldap_username_here#cxxxxt.rxxxxxxxxxxxxxs.com
accountBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
groupBase = ou=Cxxxxxs,dc=cxxxxt,dc=rxxxxxxxxxxxxxs,dc=com
http://www.ldapman.org/articles/intro_to_ldap.html
This page describes ou= as organizational unit and dc= as domain components. I'll confirm these with my IT's LDAP configuration settings after the holidays.
Gerrit's site mentions what the separate row/options are but doesn't describe what the syntax of each line should be or what the options are for. For most configuration topics which aren't covered by gerrit's site, external links are provided. This was the only one I found missing for my chosen configuration.

LDAP configuration for Gerrit?

Since google has stopped the openID support for gerrit, i am trying to use LDAP for the same now. I have IP and port number of the LDAP server. But i don't know how to start now.
I also need help to update my etc/gerrit_config file:
[auth]
type = ldap
[ldap]
server = ldap://[IP]
accountBase = ou=people,dc=domain,dc=com
groupBase = ou=groups,dc=domain,dc=com
referral = follow
accountPattern = (uid=${username})
groupPattern = (cn=${groupname})
accountFullName = cn
accountMemberField = memberOf
accountEmailAddress = mail
Since i am a newbie for ldap, could someone please help me in the same.
Thanks!!
At work I am running a gerrit instance that uses one of our work LDAPs for authentication. I use a configuration like this:
[ldap]
server = ldap://xxx.OurDomain.com
username = CN=ldapread,DC=OurDomain,DC=com
password = NotShownHere
accountBase = DC=OurDomain,DC=com
groupBase = DC=OurDomain,DC=com
The key point is that you need an LDAP user that is permitted to read from the LDAP and put the coordinates of that user into the config.
In our case, I obtained these coordinates from a know to work Apache httpd config file. In your case, you may have to ask your LDAP admin for suitable credentials.

SSH + Radius + LDAP

I have been doing a lot of research on ssh (openssh) and radius.
What I want to do:
SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.
The problem:
Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).
I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"
Here is the radius output:
Code:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
Code:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html
and
http://fhf.org/archives/713
tl:dr:
I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.
please advise
P.S.
The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.
Thanks,
Kevin
You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.
I've set it up myself on Debian Systems:
https://wiki.debian.org/LDAP/PAM
https://wiki.debian.org/LDAP/NSS
You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.