Solved LDAP and pam_authz_search

[Sylhouette]

Hello all

We have a lot of Linux Ubuntu machines running.
We use LDAP to authenticate and restrict users to certain hosts.
This works fine on Ubuntu, Now we want to make FreeBSD also use the LDAP for authentication.

This works fine, except that every user can login, even if the user is not authorized to log in.

This is the ldap for user test, the only server he may login is server01 see the host
Our FreeBSD server is storage01, but the user test can also login to this server!

dn: uid=test,ou=account,dc=mydomain,dc=com
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: authorizedServiceObject
objectClass: sambaSamAccount
uid: test
cn: Test User
loginShell: /bin/bash
uidNumber: 2323
gidNumber: 50
homeDirectory: /home/staff/test
AUTHORIZEDSERVICE: sshd
AUTHORIZEDSERVICE: su
AUTHORIZEDSERVICE: sudo
AUTHORIZEDSERVICE: samba
SAMBAACCTFLAGS: [UX]
host: server01
structuralObjectClass: account
entryUUID: 111111111-1141-1135-1111-11111111111111
creatorsName: cn=admin,dc=mydomain,dc=com
createTimestamp: 20160128141004Z
entryCSN: 20160128141004.520714Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=com
modifyTimestamp: 20160128141004Z

In the config file of nslcd.conf we have the following

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))(authorizedService=$service))

This works for the Ubuntu servers, but our FreeBSD servers do not honor this.

This is my /etc/pam.d/sshd file,

#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
#auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  pam_nologin.so
#account  required  pam_krb5.so
account  required  pam_login_access.so
account  sufficient  /usr/local/lib/pam_ldap.so  no_warn ignore_authinfo_unavail ignore_unknown_user
account  required  pam_unix.so

# session
#session  optional  pam_ssh.so  want_agent
session  required  /usr/local/lib/pam_mkhomedir.so
session  required  pam_permit.so

# password
#password  sufficient  pam_krb5.so  no_warn try_first_pass
password  sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass

 

[SirDice]

I think you're missing this (from pam_ldap(5)):

       pam_check_host_attr <yes|no>
              Specifies whether the "host" attribute  should  be  checked  for
              logon authorization ("account" in the PAM stack). The default is
              not to.  If set to "yes" and a user has no value for the  "host"
              attribute, then the user will be unable to login.

This may be set differently by default on Ubuntu.

 

[Sylhouette]

Thank you for your reply.

I should have mentioned my /usr/local/etc/openldap/ldap.conf file.

base dc=mydomain,dc=com
uri ldap://ldap.mydomain.com
ldap_version 3
binddn uid=nss_pam,ou=account,dc=mydomain,dc=com
bindpw mypass
#rootbinddn
pam_check_host_attr yes
pam_check_service_attr yes
pam_password exop
ssl start_tls
tls_checkpeer yes
tls_cacert /etc/ssl/ca-certificates.crt

So we set pam_check_host_attr to yes

I also see this in my /var/log/messages file

<authz="test"> pam_authz_search "(&(objectClass=posixAccount)(uid=test)(|(host=storage01)(host=storage01)(host=\*))(authorizedService=sshd))" found no matches

So it looks things up, see no matches but still let the account pass.
regards.

 

[Sylhouette]

I think I found it.

I also edited /etc/pam.d/system, and edited /etc/pam.d/sshd and changed sufficient under account to required and now if I try to ssh in with a user that has not set the right host in LDAP, the connection is disconnected right away.
I do not think /etc/pam.d/system is needed, but it does not harm.

So to sum things up, here my config files.

/etc/pam.d/system

#
# $FreeBSD: stable/10/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
#auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass nullok

# account
#account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  /usr/local/lib/pam_ldap.so  ignore_unknown_user ignore_authinfo_unavail
account  required  pam_unix.so

# session
#session  optional  pam_ssh.so
session  required  /usr/local/lib/pam_mkhomedir.so
session  required  pam_lastlog.so  no_fail

# password
#password  sufficient  pam_krb5.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass

/etc/pam.d/sshd

#
# $FreeBSD: stable/10/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth  sufficient  pam_opie.so  no_warn no_fake_prompts
auth  requisite  pam_opieaccess.so  no_warn allow_local
#auth  sufficient  pam_krb5.so  no_warn try_first_pass
#auth  sufficient  pam_ssh.so  no_warn try_first_pass
auth  sufficient  /usr/local/lib/pam_ldap.so  no_warn try_first_pass
auth  required  pam_unix.so  no_warn try_first_pass

# account
account  required  pam_nologin.so
#account  required  pam_krb5.so
account  required  pam_login_access.so
account  required  /usr/local/lib/pam_ldap.so  ignore_authinfo_unavail ignore_unknown_user
account  required  pam_unix.so

# session
#session  optional  pam_ssh.so
session  required  /usr/local/lib/pam_mkhomedir.so
session  required  pam_permit.so

# password
#password  sufficient  pam_krb5.so  no_warn try_first_pass
password  required  pam_unix.so  no_warn try_first_pass

/etc/nsswitch.conf

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: stable/10/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/usr/local/etc/nslcd.conf

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

uri ldap://ldap.mydomain.com
base dc=mydomain,dc=com

binddn uid=nss_pam,ou=account,dc=mydomain,dc=com
bindpw YOURSECRETPASS

# Use StartTLS without verifying the server certificate.
ssl start_tls
tls_reqcert demand

# CA certificates for server certificate verified
tls_cacertfile /etc/ssl/ca-certificates.crt

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))(authorizedService=$service))

/usr/local/etc/openldap/ldap.conf

base dc=mydomain,dc=com
uri ldap://ldap.mydomain.com
ldap_version 3
binddn uid=nss_pam,ou=account,dc=mydomain,dc=com
bindpw YOURSECRETPASS
#rootbinddn
pam_check_host_attr yes
pam_check_service_attr yes
pam_password exop
ssl start_tls
tls_checkpeer yes
tls_cacert /etc/ssl/ca-certificates.crt
nss_initgroups_ignoreusers backup,bin,daemon,ftp,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,nslcd,ntp,postfix,proftpd,proxy,root,sshd,sync,sys,syslog,uucp,whoopsie,www-data

Thanks SirDice .