Discussion:
ldap authentication troubles
Cory Albrecht
2007-02-21 03:04:06 UTC
Permalink
Hello all,

Yes, it's me again with more problems. :-)

I'm trying to get my OpenBSD firewall to authenticate normal user
accounts off of an LDAP server running on a different machine.

I installed ports/sysutils/login_ldap and modified /etc/login.conf based
on the examples from /usr/local/share/login_ldap but I can't get it to
work. Every time I try to login as one of the accounts listed in the
LDAP server's database I get the following error in /var/log/authlog:

Feb 20 21:01:01 bytor -ldap: couldn't get x-ldap-server-alt

I tried adding that tag in login.conf, but it didn't make any
difference. I tried using IP numbers instead of names, no luck. I used
ldapsearch to verify that the LDAP server is reachable from the firewall
machine and that the values I was using for x-ldap-binddn/-bindpw worked
and I also tried them as empty or removed entire to try anonymous
authentication to the LDAP server, just in case. I fiddled with
x-ldap-filter/-groupfilter tags because the ones in the exmaple confs
had objectClass or other LDAP attributes that the entries in my server
don't have. Nothing seems to make a difference - always that same error:

Feb 20 21:01:01 bytor -ldap: couldn't get x-ldap-server-alt

Google give only one result on a search for "x-ldap-server-alt" and it's
about installing Cyrus IMAP on 3.3.

The LDAP server is slapd running on Linux/Ubuntu which has been
successful running with Samba+LDAP as the Windows primary domain
controller for my LAN for 3-4 months. The firewall is built from
-current CVSed about 4-5 months ago.

If somebody could share real-world, working LDAP auth configs with me or
give me some pointers I would really appreciate it.

Thanks in advance.
Vijay Sankar
2007-02-21 04:32:53 UTC
Permalink
On Tuesday 20 February 2007 21:04, Cory Albrecht wrote:
> Hello all,
>
> Yes, it's me again with more problems. :-)
>
> I'm trying to get my OpenBSD firewall to authenticate normal user
> accounts off of an LDAP server running on a different machine.
>
> I installed ports/sysutils/login_ldap and modified /etc/login.conf based
> on the examples from /usr/local/share/login_ldap but I can't get it to
> work. Every time I try to login as one of the accounts listed in the
> LDAP server's database I get the following error in /var/log/authlog:
>
> Feb 20 21:01:01 bytor -ldap: couldn't get x-ldap-server-alt
>
> I tried adding that tag in login.conf, but it didn't make any
> difference. I tried using IP numbers instead of names, no luck. I used
> ldapsearch to verify that the LDAP server is reachable from the firewall
> machine and that the values I was using for x-ldap-binddn/-bindpw worked
> and I also tried them as empty or removed entire to try anonymous
> authentication to the LDAP server, just in case. I fiddled with
> x-ldap-filter/-groupfilter tags because the ones in the exmaple confs
> had objectClass or other LDAP attributes that the entries in my server
> don't have. Nothing seems to make a difference - always that same error:
>
> Feb 20 21:01:01 bytor -ldap: couldn't get x-ldap-server-alt

Is your server supporting LDAPv2 or only v3? I think login_ldap requires that
the ldap server support v2.
>
> Google give only one result on a search for "x-ldap-server-alt" and it's
> about installing Cyrus IMAP on 3.3.
>
> The LDAP server is slapd running on Linux/Ubuntu which has been
> successful running with Samba+LDAP as the Windows primary domain
> controller for my LAN for 3-4 months. The firewall is built from
> -current CVSed about 4-5 months ago.
>
> If somebody could share real-world, working LDAP auth configs with me or
> give me some pointers I would really appreciate it.
>
> Thanks in advance.
>
>
> !DSPAM:1,45dbb9de219951612113968!

--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: ***@foretell.ca
Marc Balmer
2007-02-21 08:19:55 UTC
Permalink
Cory Albrecht wrote:

> I'm trying to get my OpenBSD firewall to authenticate normal user
> accounts off of an LDAP server running on a different machine.

On a side note, you are aware that you must create the accounts
locally as well for things to work properly? It is not enough
to have the accounts in LDAP only.
L. V. Lammert
2007-02-21 15:09:55 UTC
Permalink
On Wed, 21 Feb 2007, Marc Balmer wrote:

> Cory Albrecht wrote:
>
> > I'm trying to get my OpenBSD firewall to authenticate normal user
> > accounts off of an LDAP server running on a different machine.
>
> On a side note, you are aware that you must create the accounts
> locally as well for things to work properly? It is not enough
> to have the accounts in LDAP only.
>
PMFJI, but could you clarify that? Requiring local accounts totally
defeats the purpose of an LDAP server.

I have seem mail configs using LDAP only, .. and I believe Samba can also
be configured to use LDAP properly.

What apps have you found do NOT work properly with LDAP?

Lee

================================================
Leland V. Lammert ***@omnitec.net
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
================================================
Marc Balmer
2007-02-21 16:25:46 UTC
Permalink
L. V. Lammert wrote:
> On Wed, 21 Feb 2007, Marc Balmer wrote:
>
>> Cory Albrecht wrote:
>>
>>> I'm trying to get my OpenBSD firewall to authenticate normal user
>>> accounts off of an LDAP server running on a different machine.
>> On a side note, you are aware that you must create the accounts
>> locally as well for things to work properly? It is not enough
>> to have the accounts in LDAP only.
>>
> PMFJI, but could you clarify that? Requiring local accounts totally
> defeats the purpose of an LDAP server.
>
> I have seem mail configs using LDAP only, .. and I believe Samba can also
> be configured to use LDAP properly.

yes, you can have mailserver setups or ftp server setups where only
one system user is needed. e.g. the virtual_chroot flavor of
net/pure-ftpd does this and using courier-imap, a mail server can
be setup that does store all email under the same uid.

on OpenBSD, for things like samba servers or user logins to the
machine, the account must be created locally as well as in the LDAP
database. at least this is the current state of affairs.


>
> What apps have you found do NOT work properly with LDAP?
>
> Lee
>
> ================================================
> Leland V. Lammert ***@omnitec.net
> Chief Scientist Omnitec Corporation
> Network/Internet Consultants www.omnitec.net
> ================================================
David Golden
2007-02-21 17:12:48 UTC
Permalink
> on OpenBSD, for things like samba servers or user logins to the
> machine, the account must be created locally as well as in the LDAP
> database. at least this is the current state of affairs.
>
>

trivia:
This contrasts to e.g. the linux/solaris situation where a nss (Name Service
Switch) module is used to also get account details from ldap (a
pam ldap module is used for auth) - confusion usually arises
because both the nss and pam modules tend to be bundled together.

A similar situation can arise on linux if you reconfigure
pam for ldap without reconfiguring nss.
Rogier Krieger
2007-02-21 16:22:04 UTC
Permalink
On 2/21/07, L. V. Lammert <***@omnitec.net> wrote:
> PMFJI, but could you clarify that? Requiring local accounts totally
> defeats the purpose of an LDAP server.

Yes, it does. In fact, it is clearly documented in the login-ldap port
materials.

You may get around said local accounts requirement if you can create
an LDAP-NIS gateway that the OpenBSD machine can talk with. At
present, I do not believe one is available for OpenBSD-bsed systems.


> What apps have you found do NOT work properly with LDAP?

Personally, I'm having trouble using login-ldap with my local(host)
LDAP server using SSL. It refuses to connect and I can't find where
the problem lies. But since the two run on the same server, I manage
to live with unsecured connections.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.
Vijay Sankar
2007-02-21 16:47:50 UTC
Permalink
On Wednesday 21 February 2007 10:22, Rogier Krieger wrote:

> Personally, I'm having trouble using login-ldap with my local(host)
> LDAP server using SSL. It refuses to connect and I can't find where
> the problem lies. But since the two run on the same server, I manage
> to live with unsecured connections.
>

In my ldap.conf on a machine called ftl2, I have

ftl2# more /etc/openldap/ldap.conf
HOST ftl3.sankars.com
BASE dc=foretell,dc=ca
TLS_CHECKPEER yes
URI ldaps://ftl3.sankars.com
SSL start_tls
TIMELIMIT 25
SIZELIMIT 25
TLS_REQCERT allow
TLS_CACERT /etc/ssl/certs/ca.crt

login.conf has the following:
ldap:\
:requirehome@:\
:auth=-ldap:\
:x-ldap-server=a.b.c.d:\
:x-ldap-port=636:\
:x-ldap-basedn=ou=Users,dc=foretell,dc=ca:\
:x-ldap-binddn=cn=ldapadmin,dc=foretell,dc=ca:\
:x-ldap-bindpw=XXXXXX:\
:x-ldap-uscope=onelevel:\
:x-ldap-noreferrals:\
:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
:x-ldap-gscope=base:
# :x-ldap-groupdn=ou=Users,dc=foretell,dc=ca:\
# :x-ldap-groupfilter=(|(&(objectClass=posixGroup)(memberUid=%u
(&(objectClass=groupOfUniqueNames)(uniqueMember=%d))):

HTH,

Vijay
--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: ***@foretell.ca
Rogier Krieger
2007-02-23 12:32:48 UTC
Permalink
On 2/21/07, Vijay Sankar <***@foretell.ca> wrote:
> On Wednesday 21 February 2007 10:22, Rogier Krieger wrote:
>
> > Personally, I'm having trouble using login-ldap with my local(host)
> > LDAP server using SSL.
<snip>
> ftl2# more /etc/openldap/ldap.conf
<snip>
> TLS_CACERT /etc/ssl/certs/ca.crt

The TLS_CACERT setting did the trick for me. Things work just fine
now. Thank you for that pointer. I knew I was missing something :)

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.
L. V. Lammert
2007-02-21 16:48:18 UTC
Permalink
At 05:22 PM 2/21/2007 +0100, Rogier Krieger wrote:
>On 2/21/07, L. V. Lammert <***@omnitec.net> wrote:
>>PMFJI, but could you clarify that? Requiring local accounts totally
>>defeats the purpose of an LDAP server.
>
>Yes, it does. In fact, it is clearly documented in the login-ldap port
>materials.

TTFR, but you missed the point I was making - LDAP is seldom used for
*machine authentication*, rather it is designed for applications like
email, file sharing, et al.

Per your comment, it appears that the discontinuity lies with *local
logins*? Service/daemon usage of LDAP that does not use a local machine
login, then, would not be affected?

I, for one, would never use LDAP for local logins - local logins are for
admins, and, as such, are few enough in number that LDAP would be more of a
pain than problem solver. Using MySQL, LDAP, BDB, et al for services such
as email, file-print sharing, possibly apache, should be independent of
local machine [logins], IMHO, reserving local users for admins.

Lee
Diana Eichert
2007-02-21 18:28:57 UTC
Permalink
On Wed, 21 Feb 2007, L. V. Lammert wrote:

> TTFR, but you missed the point I was making - LDAP is seldom used for
> *machine authentication*, rather it is designed for applications like
> email, file sharing, et al.
>
> Per your comment, it appears that the discontinuity lies with *local
> logins*? Service/daemon usage of LDAP that does not use a local machine
> login, then, would not be affected?
>
> I, for one, would never use LDAP for local logins - local logins are for
> admins, and, as such, are few enough in number that LDAP would be more of a
> pain than problem solver. Using MySQL, LDAP, BDB, et al for services such
> as email, file-print sharing, possibly apache, should be independent of
> local machine [logins], IMHO, reserving local users for admins.
>
> Lee

How about for authpf logins? Since OpenBSD ipsec implementation does not
support authentication via username/password we can not use the 2-factor
authentication system in place. Instead I can use an ssh login against
ldap for my VPN users, then a dynanic PF rules gets added allowing udp
port isakmp and proto esp from the users src ip. That way if the shared
secret falls into the "wrong" hands the loss is mitigated.

diana
Cory Albrecht
2007-02-21 21:54:25 UTC
Permalink
Marc Balmer wrote:
> Cory Albrecht wrote:
>> I'm trying to get my OpenBSD firewall to authenticate normal user
>> accounts off of an LDAP server running on a different machine.

> On a side note, you are aware that you must create the accounts
> locally as well for things to work properly? It is not enough
> to have the accounts in LDAP only.

So, you're saying that if I had an organization with 100 OpenBSD
desktops (and associated typical file /print/etc servers), that I would
have to create every new login on *each* of those 100 desktops in
addition adding it to the LDAP server every time we got a new employee?
Or would have to remove an account from each individual workstation each
time somebody left?

Then what's the point of having a centralized login administration
system? Useless and unnecessary extra work for a sysadmin, IMHO. That
wouldn't exactly be a pro-adoption point.

Does using NIS on OpenBSD also have such a limitation?
Lars Hansson
2007-02-22 02:30:44 UTC
Permalink
Cory Albrecht wrote:
> So, you're saying that if I had an organization with 100 OpenBSD
> desktops (and associated typical file /print/etc servers), that I would
> have to create every new login on *each* of those 100 desktops in
> addition adding it to the LDAP server every time we got a new employee?

Only if you wanted any employee to be able to use any desktop.

> Then what's the point of having a centralized login administration
> system?

Who has said anything about login-ldap being a centralized login
administration system? It's just a centralized authentication system.

> Does using NIS on OpenBSD also have such a limitation?

No.

----
Lars Hansson
Marc Balmer
2007-02-22 06:44:09 UTC
Permalink
Cory Albrecht wrote:
> Marc Balmer wrote:
>> Cory Albrecht wrote:
>>> I'm trying to get my OpenBSD firewall to authenticate normal user
>>> accounts off of an LDAP server running on a different machine.
>
>> On a side note, you are aware that you must create the accounts
>> locally as well for things to work properly? It is not enough
>> to have the accounts in LDAP only.
>
> So, you're saying that if I had an organization with 100 OpenBSD
> desktops (and associated typical file /print/etc servers), that I would
> have to create every new login on *each* of those 100 desktops in
> addition adding it to the LDAP server every time we got a new employee?
> Or would have to remove an account from each individual workstation each
> time somebody left?

when you use LDAP, yes this is the only option at the moment. software
exists (non-free) we automates this, but this is a hack, to say the
least ;)

> Then what's the point of having a centralized login administration
> system? Useless and unnecessary extra work for a sysadmin, IMHO. That
> wouldn't exactly be a pro-adoption point.
>
> Does using NIS on OpenBSD also have such a limitation?

no.
Joachim Schipper
2007-02-22 21:41:24 UTC
Permalink
On Wed, Feb 21, 2007 at 04:54:25PM -0500, Cory Albrecht wrote:
> Marc Balmer wrote:
> >Cory Albrecht wrote:
> >>I'm trying to get my OpenBSD firewall to authenticate normal user
> >>accounts off of an LDAP server running on a different machine.
>
> >On a side note, you are aware that you must create the accounts
> >locally as well for things to work properly? It is not enough
> >to have the accounts in LDAP only.
>
> So, you're saying that if I had an organization with 100 OpenBSD
> desktops (and associated typical file /print/etc servers), that I would
> have to create every new login on *each* of those 100 desktops in
> addition adding it to the LDAP server every time we got a new employee?
> Or would have to remove an account from each individual workstation each
> time somebody left?
>
> Then what's the point of having a centralized login administration
> system? Useless and unnecessary extra work for a sysadmin, IMHO. That
> wouldn't exactly be a pro-adoption point.

That's true. Then again, I've never had any problems with my home-hacked
solution that just cats a couple of /etc/master.passwd.something files
together, and then runs the appropriate 'compilation' commands.

You do have to know how to avoid possibly very nasty password database
corruption, though (i.e. don't try to run two in parallel, there's a
reason vipw exists and is so very careful).

Joachim
Vijay Sankar
2007-03-02 00:28:19 UTC
Permalink
On Thursday 22 February 2007 15:41, Joachim Schipper wrote:
>
> That's true. Then again, I've never had any problems with my home-hacked
> solution that just cats a couple of /etc/master.passwd.something files
> together, and then runs the appropriate 'compilation' commands.
>
> You do have to know how to avoid possibly very nasty password database
> corruption, though (i.e. don't try to run two in parallel, there's a
> reason vipw exists and is so very careful).
>

If possible, I would like to know more about this home-hacked solution.It
sounds very interesting. Previously, before going with Kerberos and OpenLDAP,
I had tried to copy master.passwd files across from one system to another and
had difficulties (basically, was not able to login). So I am wondering what
are the appropriate 'compilation' commands? Is it just pwd_mkdb or are there
other things that have to be run? Also, when passwords are changed on one
host, does your approach allow the changes to be sync'ed to the other?

Thanks very much,

Vijay

--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: ***@foretell.ca
Loading...