# LDAP/PAM woes

## spike666

I've got a pair of servers running that I want to share a userbase, so I wanted to set up an ldap server and use PAM for authentication. Since I had purchased the O'Reilly book on ldap back in the summer, I started with that on a guinea pig linux box that I had laying around and, after starting to install and configure and having some problems, I noticed the Gentoo LDAP-HowTo and decided to use that instead...

So, I emerged what was said, configured everything, migrated my data... All was good. I could seach for users using LDAP search, although I couldn't get it to use SSL properly, only simple binds were working from remote boxen, however SSL was working fine from the same box- no big deal.

When it comes to the line in the LDAP-HowTo where you check to make sure everything's working, getent passwd | grep 0:0 only returns one line (not two, like the howto says it should):

```
root@fingerbib spike # getent passwd | grep 0:0

root:x:0:0:root:/root:/bin/bash

root@fingerbib spike # 

```

When I was inspecting my logs, I was getting:

```
Jan 23 14:38:29 fingerbib su[29291]: pam_ldap: ldap_simple_bind Can't contact LDAP server
```

but I don't seem to be getting that at this moment... hmph.

openssl s_client to the machine works fine on the ldaps port, no errors...

When I try to do a search from another machine:

```
[Ventolin:/var/log/httpd] spike% ldapsearch -H "ldaps://ldap.darkerhosting.net" -D "cn=admin,dc=darkerhosting,dc=net" -W -d 1 -b "dc=darkerhosting,dc=net" "(uid=spike)"

ldap_create

ldap_url_parse_ext(ldaps://ldap.darkerhosting.net)

Enter LDAP Password: 

ldap_pvt_sasl_getmech

ldap_search

put_filter: "(objectclass=*)"

put_filter: simple

put_simple_filter: "objectclass=*"

ldap_send_initial_request

ldap_new_connection

ldap_int_open_connection

ldap_connect_to_host: TCP ldap.darkerhosting.net:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 66.65.57.39:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_ndelay_on: 3

ldap_is_sock_ready: 3

ldap_ndelay_off: 3

ldap_int_sasl_open: host=66-65-57-39.nyc.rr.com

TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=NewYork/L=NewYork/O=Darkerhosting.net/OU=IT/CN=ldap.darkerhosting.net/Email=auth@darkerhosting.net, issuer: /C=US/ST=NewYork/L=NewYork/O=Darkerhosting.net/OU=IT/CN=ldap.darkerhosting.net/Email=auth@darkerhosting.net

TLS certificate verification: depth: 0, err: 18, subject: /C=US/ST=NewYork/L=NewYork/O=Darkerhosting.net/OU=IT/CN=ldap.darkerhosting.net/Email=auth@darkerhosting.net, issuer: /C=US/ST=NewYork/L=NewYork/O=Darkerhosting.net/OU=IT/CN=ldap.darkerhosting.net/Email=auth@darkerhosting.net

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL_connect:SSLv3 read finished A

TLS trace: SSL3 alert write:warning:bad certificate

TLS: unable to get peer certificate.

ldap_perror

ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
```

And the contents of some files:

/etc/openldap/slapd.conf:

```
include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/inetorgperson.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

loglevel        296

pidfile         /var/state/openldap/slapd.pid

argsfile        /var/lib/slapd.args

#

# TLS options for slapd (spike)

#

#TLSCipherSuite          HIGH

TLSCertificateKeyFile   /etc/openldap/ssl/ldap.pem

TLSCertificateFile      /etc/ssl/ldap.pem

TLSCACertificateFile    /etc/ssl/ldap.pem

#

# end TLS stuffs

#

# security settings...

password-hash           {crypt}

# end security

#

# sasl stuffs (spike)

#

#sasl-host ldap.darkerhosting.net

#sasl-realm darkerhosting.net

#sasl-secprops noplain,noanonymous

#

# end sasl stuffs

#

# Load dynamic backend modules:

#modulepath     /usr/lib/openldap/openldap

#moduleload     back_ldap.la

# moduleload    back_ldbm.la

#moduleload     back_passwd.la

#moduleload     back_shell.la

#modulepath     /usr/lib

#moduleload     libd.so

## Define new database definition

database        ldbm

suffix          "dc=darkerhosting,dc=net"

rootdn          "cn=admin,dc=darkerhosting,dc=net"

rootpw          {SSHA}Zy8kLZMOfOthPEKkS/okQxI6ppQVwfSW

## SASL rootdn:

#rootdn         "uid=ldapadmin,cn=gssapi,cn=auth"

directory       /var/ldap/darkerhosting.net

mode            0600

index           objectClass             eq

index           cn,sn,mail              eq,sub

index           departmentNumber        eq

# Access control....

#allow people to change their own password and authenticate

#access to dn=".*,dc=darkerhosting,dc=net" attr=userPassword

#       by dn="uid=root,ou=people,dc=darkerhosting,dc=net" write

#       by anonymous auth

#       by self write

#       by * search

access to *

        by self write

        by users read

        by anonymous auth

```

/etc/openldap/ldap.conf:

```
BASE    dc=darkerhosting,dc=net

ssl start_tls

ssl on

#URI    ldaps://auth.darkerhosting.net:636/

#URI    ldaps://ldap.darkerhosting.net/ ldap://ldap.darkerhosting.net/

URI     ldap://auth.darkerhosting.net:389 ldaps://auth.darkerhosting.net:636

TLS_REQCERT  allow

```

/etc/ldap.conf:

```
#host ldap.darkerhosting.net

#base dc=darkerhosting,dc=net

ssl start_tls

ssl on

suffix          "dc=darkerhosting,dc=net"

#rootbinddn uid=root,ou=People,dc=darkerhosting,dc=net

uri ldaps://ldap.darkerhosting.net/

#uri ldaps://127.0.0.1/

pam_password exop

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=People,dc=darkerhosting,dc=net

nss_base_shadow ou=People,dc=darkerhosting,dc=net

nss_base_group  ou=Group,dc=darkerhosting,dc=net

nss_base_hosts  ou=Hosts,dc=darkerhosting,dc=net

scope one
```

/etc/pam.d/system-auth:

```
auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok nodelay

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

auth        sufficient    /lib/security/pam_ldap.so use_first_pass

account     sufficient    /lib/security/pam_ldap.so

password    sufficient    /lib/security/pam_ldap.so use_authtok

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0

session     optional      /lib/security/pam_ldap.so
```

/etc/nsswitch.conf:

```
passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

Any help would be greatly appreciated!

----------

## flowctrl

 *spike666 wrote:*   

> ...although I couldn't get it to use SSL properly, only simple binds were working from remote boxen, however SSL was working fine from the same box- no big deal.
> 
> ...
> 
> When I was inspecting my logs, I was getting:
> ...

 

I'm not sure about your hostnames and certificate setup, but I see that for the certs involved above, you have CN=ldap.darkerhosting.net in the certificate.  The CN parameter in the certificate *must* match the fully qualified domain name of the server on which openldap is running.  So if you have a box called foo.darkerhosting.net and another one called bar.darkerhosting.net, then you need two client certificates, one with CN=foo.darkerhosting.net and another with CN=bar.darkerhosting.net.

Also, are you aware that your ldapsearch command above is attempting to use the SASL auth mechanism?  You specified "-W", so I assume that you just want password auth -- you will need to add an "-x" as well, to disable SASL and use the simple (i.e., password) auth mech.

Good luck!

.

----------

## spike666

i'm gonna sound like such a newb here, but.....

maybe I misunderstood what a FDN is. Does it have to be reverse-lookupable? I have an (A) record for ldap.darkerhosting.net, but reverse lookups don't work because this is being hosted on my residential cablemodem setup and my ISP won't let me set that up with them.

Would that affect my pam_ldap stuff, though?

----------

## flowctrl

 *spike666 wrote:*   

> i'm gonna sound like such a newb here, but.....
> 
> maybe I misunderstood what a FDN is. Does it have to be reverse-lookupable? I have an (A) record for ldap.darkerhosting.net, but reverse lookups don't work because this is being hosted on my residential cablemodem setup and my ISP won't let me set that up with them.
> 
> Would that affect my pam_ldap stuff, though?

 

No, it does not need to have a matching reverse dns record.  Whats important is that the host that ldap is running on thinks it is the host that you put in the SSL certificate's commonName field.  When you're logged into your host, and you issue the command "hostname", does it output "ldap.darkerhosting.net" (or at least "ldap")?  If not, then SSL probably won't be working with your certificates that have ldap.darkerhosting.net in the CN field.

It would affect your PAM stuff if TLS is required (as set by the "security" parameter in slapd.conf) to bind to the server.  If you can bind to the server using the -ZZ arguments to ldapsearch, then TLS is working fine.  If you can bind to the server without -Z or -ZZ, then TLS is not being enforced by your ldap server, and your information is probably reaching it "in the clear".

.

----------

## spike666

i decided to reformat, reinstall gentoo (several reasons), and in doing so, I decided to pam_ldap one last shot, and actually got it working without trouble.

I'm still having problems with self-signed certificates, though. When I disable TLS, PAM stops working...

when I try to do a search with the -Z or -ZZ parameter and no -D or -W, I get

```

Mookid:~ spike$ ldapsearch -H "ldaps://192.168.1.106" -Z -b "dc=darkerhosting,dc=net" "(objectClass=*)"

ldap_start_tls: Operations error (1)

        additional info: TLS already started

ldap_sasl_interactive_bind_s: No such attribute (16)

```

and

```

Mookid:~ spike$ ldapsearch -H "ldaps://192.168.1.106" -ZZ -b "dc=darkerhosting,dc=net" "(objectClass=*)"

ldap_start_tls: Operations error (1)

        additional info: TLS already started

```

I think this is also affecting proftpd, I can't seem to get that to see the ldap users, but it's still seeing the normal UNIX users (/etc/passwd). arg.

----------

## spike666

btw, the CN of my certificate is fingerbib.darkerhosting.net, as is my hostname on that box... (I see it when I type hostname).

I set up the certificates as shown on the LDAP-HOWTO on this site.

----------

## kitana_ann

To Spike

How did you get ldap to contact with server? My problem is the same as you had. Can't contact LDAP server.

I just can't find any help on this part.

----------

## spike666

 *kitana_ann wrote:*   

> To Spike
> 
> How did you get ldap to contact with server? My problem is the same as you had. Can't contact LDAP server.
> 
> I just can't find any help on this part.

 

I'm not sure, actually. When I reinstalled Gentoo and LDAP, it just worked... I think there was something wrong with the old ebuild...

what version of LDAP did you emerge? I found that 2.1.27 worked best for me at this point:

```
root@fingerbib iptables # emerge -s openldap

Searching...   

[ Results for search key : openldap ]

[ Applications found : 1 ]

 

*  net-nds/openldap

      Latest version available: 2.0.27

      Latest version installed: 2.1.27

      Size of downloaded files: 1,274 kB

      Homepage:    http://www.OpenLDAP.org/

      Description: LDAP suite of application and development tools

      License:     OPENLDAP
```

----------

## kitana_ann

Thanx, I realized that I had 2.1.26 so now I am going to upgrade it to 2.1.27 and see if I can get it to work. 

Other then that you got it to work just by folowing the gentoo ldap guide?

----------

## kitana_ann

I have updated it now but I get the same problem. So I have manage to solve the problem by changing the port. Instead of localhost:636 I changed it to localhost:363 and then it worked.

----------

## spike666

 *kitana_ann wrote:*   

> I have updated it now but I get the same problem. So I have manage to solve the problem by changing the port. Instead of localhost:636 I changed it to localhost:363 and then it worked.

 

yeah, I decided to have LDAP listen on both ports since I've been having trouble with the ldaps:// port. I don't really need to use the encryption because I'm not allowing outside connections to it (only from inside my LAN and on the local machine).

I can't figure out what to do about the self signed certificate. I've looked around the web for a solution and found some info about keeping a copy of the server's certificate on the client machine, but couldn't get that working right, either, so I decided to just dump encryption all together.

The first time (from my original post), I followed the instructions in O'Reilly's book "LDAP System Administration," and when it didn't work, I tried to use Gentoo's guide to fix it, but it didn't work. When I re-installed Gentoo, I only followed Gentoo's guide, and it worked on the first try.

I also set up some extra use variables that I didn't know about the first time (ldap, tls, ssl, crypto, pam).

----------

