Simple OpenLDAP Authentication Poject not working Yet

H

hector

I begun with a clean FreeBSD 8.0 installed in a virtual machine on VirtualBox running on Linux host.
I started with the article "LDAP Authentication" (http://www.freebsd.org/doc/en/articles/ldap-auth/article.html) and I got stuck trying to start SSL/TLS connection.
These are the configurations files and the commands I executed

------------------------------------------------------------
/etc/hosts
Code: 
::1                     localhost localhost.example.com
127.0.0.1               localhost localhost.example.com
192.168.1.101           fbsd.example.com fbsd

------------------------------------------------------------
[cmd=]fbsd# pkg_add -r openldap24-server[/cmd]

------------------------------------------------------------
/usr/local/etc/openldap/slapd.conf

Code: 
include        /usr/local/etc/openldap/schema/core.schema

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

modulepath    /usr/local/libexec/openldap
moduleload    back_bdb

security ssf=128

TLSCertificateFile      /usr/local/etc/openldap/cert.crt
TLSCertificateKeyFile   /usr/local/etc/openldap/cert.key
TLSCACertificateFile    /usr/local/etc/openldap/cacert.crt

database    bdb
suffix        "dc=example,dc=com"
rootdn        "cn=Manager,dc=example,dc=com"
rootpw        secret

directory    /var/db/openldap-data
index    objectClass    eq

------------------------------------------------------------
/etc/rc.conf

Code: 
keymap="spanish.iso.acc"
sshd_enable="YES"
ifconfig_em0="inet 192.168.1.101  netmask 255.255.255.0"
defaultrouter="192.168.1.1"
hostname="fbsd.example.com"
slapd_enable="YES"

------------------------------------------------------------
Generates files for clients to authenticate you as the valid LDAP server:

Code: 
fbsd# cd /usr/local/etc/openldap
fbsd# openssl genrsa -out cert.key 1024
Generating RSA private key, 1024 bit long modulus
......++++++
..++++++
e is 65537 (0x10001)
fbsd# openssl req -new -key cert.key -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AR
State or Province Name (full name) [Some-State]:Tucuman
Locality Name (eg, city) []:Capital
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example.Com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: fbsd.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
fbsd# openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cert.crt
Signature ok
subject=/C=AR/ST=Tucuman/L=Capital/O=Example.Com/CN=fbsd.example.com
Getting Private key

fbsd# cp cert.crt cacert.crt
------------------------------------------------------------
Code: 
fbsd# /usr/local/etc/rc.d/slapd start
Starting slapd.
fbsd# sockstat -4 -p 389
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
ldap     slapd      917   7  tcp4   *:389                 *:*

------------------------------------------------------------
/usr/local/etc/openldap/ldap.conf

Code: 
base         dc=example,dc=com
uri         ldap://server.example.com/
ssl         start_tls
tls_cacert     /usr/local/etc/openldap/cacert.crt

------------------------------------------------------------
Testing the connection:
Code: 
fbsd# ldapsearch -Z -d 255
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.example.com:389
ldap_connect_to_host: getaddrinfo failed: hostname nor servname provided, or not known
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.example.com:389
ldap_connect_to_host: getaddrinfo failed: hostname nor servname provided, or not known
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Where is the problem? on the certs maybe? Thanks in advance...
 
Last edited by a moderator:
You are stuck way before that. You haven't actually connected to a server, only parsed the information in the ldap.conf file. And looking at that file you need to replace the UIR ldap://server.example.com with either localhost(if you are running on the local hardware) or the name of the server that do run the LDAP server.

All "domain/host names" that are *.example.(com|net|org) are just placeholders for your real domain/host name, and thusly just an _example_

Also you have to deal with the fact that you have a self signed certificate, which is solved by using this in you ldap.conf file
Code: 
TLS_REQCERT = never
 
Thanks gilinko. I modified /usr/local/etc/openldap/ldap.conf and l dapsearch -Z command execution works.

/usr/local/etc/openldap/ldap.conf
Code: 
base 		dc=example,dc=com
uri 		ldap://fbsd.example.com/
ssl 		start_tls
TLS_REQCERT     never
tls_cacert 	/usr/local/etc/openldap/cacert.crt

To add entries to authenticate in the directory I needed to include these schemas in /usr/local/etc/openldap/sldap.conf because the objectClass person, posixAccount, and shadowAccount.

/usr/local/etc/openldap/slapd.conf

Code: 
.
.
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/nis.schema
.
.


This is the directory information with a test user to authenticate with:

example.com.ldif

Code: 
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example.Com

dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: uid=tuser,ou=people,dc=example,dc=com
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/tuser
loginShell: /bin/csh
userpassword: secret
uid: tuser
cn: tuser
sn: Testuser

dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=tuser,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 10000
cn: tuser

I used slapadd command to store the info in the directory:

Code: 
fbsd# /usr/local/etc/rc.d/slapd stop
fbsd# slapadd -v -l /home/hector/ldif/example.com.ldif
added: "dc=example,dc=com" (00000001)
added: "ou=people,dc=example,dc=com" (00000002)
added: "uid=tuser,ou=people,dc=example,dc=com" (00000003)
added: "ou=groups,dc=example,dc=com" (00000004)
added: "cn=tuser,ou=groups,dc=example,dc=com" (00000005)
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...

To authenticate against an LDAP server I need security/pam_ldap and net/nss_ldap:

Code: 
fbsd# pkg_add -r pam_ldap
fbsd# pkg_add -r nss_ldap

I copied my original ldap.conf configuration to be used by pam_ldap:

[cmd=]fbsd# cp /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf[/cmd]

I added directives in PAM files:

/etc/pam.d/sshd

Code: 
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so             no_warn
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so             no_warn ignore_authinfo_unavail ignore_unknown_
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

I configured nss_ldap.conf so the LDAP server could be determine, and I used pam_login_attribute to identifying users with its uid.

/usr/local/etc/nss_ldap.conf
Code: 
base                   dc=example,dc=com
uri                     ldap://fbsd.example.com/
ssl                     start_tls
TLS_REQCERT             never
tls_cacert              /usr/local/etc/openldap/cacert.crt

pam_login_attribute     uid

To tell Name Service Switch where to look:

/etc/nsswitch.conf

Code: 
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I sarted the LDAP server to test the user authentication:

Code: 
fbsd# /usr/local/etc/rc.d/slapd stop

From a remote machine:

Code: 
$ ssh tuser@fbsd
Password:

And it works! But I still have some question:

1- These files,

/usr/local/etc/openldap/ldap.conf
/usr/local/etc/ldap.conf
/usr/local/etc/nss_ldap.conf

have almost the same information, is it necessary to have the same info in these files?

2- If I stop LDAP server, then I can't start it again. To do that I need to comment the configuration in /usr/local/etc/nss_ldap.conf. Is there another way to start it again?

3- What about certificate? Don't have clients to accept the public key from LDAP server?
 
hector said:
1- These files,

/usr/local/etc/openldap/ldap.conf
/usr/local/etc/ldap.conf
/usr/local/etc/nss_ldap.conf

have almost the same information, is it necessary to have the same info in these files?

2- If I stop LDAP server, then I can't start it again. To do that I need to comment the configuration in /usr/local/etc/nss_ldap.conf. Is there another way to start it again?

3- What about certificate? Don't have clients to accept the public key from LDAP server?
Click to expand...

1.
/usr/local/etc/openldap/ldap.conf is for the openldap client and it's libraries and all that software that include openldap someway. Do not remove this file. The other two is for different packages (pam_ldap and nss_ldap), and although they do contain the same I would still recommend to keep them separate.

2.
Yes, you can. But only if you login as a user that exists in /etc/passwd (like root). If the LDAP server is stopped no user that only exists in LDAP is able to do anything. It is an all or nothing situation, and why would you need to stop the LDAP server at all?

3.
No, clients "only" has to choose wither to trust the certificate, and that's what the "TLS_REQCERT never" part in ldap.conf tells the clients to just trust the certificate and not verify it against any verified CA's.
 
In question 2 I meant if I'm logged as a root and I stop the LDAP server, then I start LDAP server takes to loong (I thought I could not start it again: sorry)

Code: 
fbsd# /usr/local/etc/rc.d/slapd stop
Stopping slapd.
fbsd# date && /usr/local/etc/rc.d/slapd start && date
Sat Jul  3 15:59:59 ART 2010
Starting slapd.
Sat Jul  3 16:02:04 ART 2010
fbsd#

Is that normal?

4-Why I can't query the directory through a remote client with previous ldap client utilities installed?

A direct query to the directory doesn't work:

Code: 
$ ldapsearch -x -Z -W -D 'uid=tuser,ou=people,dc=example,dc=com' -H 'ldap://fbsd'
ldap_start_tls: Connect error (-11)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
Enter LDAP Password: 
ldap_result: Can't contact LDAP server (-1)
$


While an authentication through ssh works fine:

Code: 
$ ssh tuser@fbsd
Password: 
% whoami
tuser
%
 
It is completely normal that it does take some time for ldap to start as it has to parse the log files and re:create the indexes for searches.

As for the ldap search from a different computer(ie remote) you have to instruct it not to verify the self signed certificate(as the error message says). The TLS_REQCERT option has to exists on _all_ clients that connect to the ldap server. The entries in /usr/local/openldap/ldap.conf is only valid for the local client(in your case only on the server), and that is why it does work when you connect from a remote computer using ssh as the query to the ldap server comes from the server you are connecting to(from sshd) and not from the client that you are connecting from.
 
Code: 
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
#moduleload     back_bdb
# moduleload    back_mdb
# moduleload    back_ldap
#moduleload     back_ldbm.la
# moduleload    back_passwd.la
#moduleload     back_shell.la
#######################################################################
# backend database definitions
#######################################################################

database        ldbm
maxsize         1073741824
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory      /var/db/openldap-data
#directory      /var/db/openldap/example-com
# Indices to maintain
index   objectClass     eq

I configured by slapd.conf file as above and when iI tried to start slapd it couldn't start:
Code: 
root@rule170:/var # slaptest -f/usr/local/etc/openldap/slapd.conf
Unrecognized database type (ldbm)
562c4af1 /usr/local/etc/openldap/slapd.conf: line 62: <database> failed init (ldbm)
slaptest: bad configuration file!
root@rule170:/var #

Do iI need to create ldbm database?
 
You must log in or register to reply here.
Back
Top