ssh with ldap authentication is not working well

Support for security such as Firewalls and securing linux
Post Reply
melak
Posts: 2
Joined: 2018/07/11 10:57:31

ssh with ldap authentication is not working well

Post by melak » 2018/07/11 11:44:57

Hello guys!

I need some help to figure out why my nslcd-ldap configuration can not authenticate a simple user.

I've set up the the configuration as follows:
The ldap is an IBM Directory Server 6.2 installed on Redhat EL Server 5.4. The ldap authentication is working from earlier linux releases (Redhat EL Server 5 and CentOS 6.8) using nslcd
Centos 7.5.1804 is the new host which should be configured to use ldap authentication for ssh.

yum install openldap-clients nss-pam-ldapd
authconfig --enableforcelegacy --update
authconfig --disableldaptls --update
authconfig --disableldapstarttls --update
authconfig --disablesssd --disablesssdauth --update
authconfig --enableldap --enableldapauth --ldapserver="linldap.dom.t-logic.hu" --ldapbasedn="dc=t-logic,c=hu" --update

cat /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://linldap.dom.t-logic.hu/
base dc=t-logic,c=hu
ssl no
tls_cacertdir /etc/openldap/cacerts
scope sub
binddn uid=sgsbind,cn=users,dc=t-logic,c=hu
bindpw sgsbind_password
base group cn=groups,dc=t-logic,c=hu
base passwd cn=users,dc=t-logic,c=hu
base shadow cn=users,dc=t-logic,c=hu

cat /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus

cat /etc/pam.d/system-auth-ac
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

cat /etc/pam.d/password-auth-ac
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so


After starting nslcd
getent passwd sbalogh returns
sbalogh:x:1001:1000:Balogh SĂĄndor:/home/sbalogh:/bin/bash
getent passwd sgsbind returns
sgsbind:*:3000:1000:SGS bind user:/home/testuser:

ldapsearch is working ok, it can find both users. Password for user sbalogh is know, I can login from the older Centos 6 box)
So far so good.

Trying to login through ssh:
with user sbalogh I get Access denied or Authentication failure (using su)
with user sgsbind I can login

The main difference between those user is that sgsbind user has the right to bind to ldap, but sbalogh has not that right.

Running nslcd -d I notice that when I try to log in with user sbalogh, at the beginning it binds to ldap with the configured bind user (sgsbind) but at a point in time it tries to bind with the user I am trying to login and of course it fails. Here is the nslcd log:
nslcd: [8b4567] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=posixAccount)(uid=sbalogh))")
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sgsbind,cn=users,dc=t-logic,c=hu","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [8b4567] <passwd="sbalogh"> (re)loading /etc/nsswitch.conf
nslcd: [8b4567] <passwd="sbalogh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [7b23c6] <passwd="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=posixAccount)(uid=sbalogh))")
nslcd: [7b23c6] <passwd="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [7b23c6] <passwd="sbalogh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=posixAccount)(uid=sbalogh))")
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sgsbind,cn=users,dc=t-logic,c=hu","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [3c9869] <passwd="sbalogh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [334873] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [334873] <shadow="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=shadowAccount)(uid=sbalogh))")
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sgsbind,cn=users,dc=t-logic,c=hu","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [334873] <shadow="sbalogh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [b0dc51] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=posixAccount)(uid=sbalogh))")
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sgsbind,cn=users,dc=t-logic,c=hu","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [b0dc51] <passwd="sbalogh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=16806 uid=0 gid=0
nslcd: [495cff] <authc="sbalogh"> DEBUG: nslcd_pam_authc("sbalogh","sshd","***")
nslcd: [495cff] <authc="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=posixAccount)(uid=sbalogh))")
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sgsbind,cn=users,dc=t-logic,c=hu","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU
nslcd: [495cff] <authc="sbalogh"> DEBUG: myldap_search(base="uid=sbalogh,cn=users,dc=t-logic,C=HU", filter="(objectClass=*)")
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_initialize(ldap://linldap.dom.t-logic.hu/)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_rebind_proc()
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_simple_bind_s("uid=sbalogh,cn=users,dc=t-logic,C=HU","***") (uri="ldap://linldap.dom.t-logic.hu/")
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [495cff] <authc="sbalogh"> uid=sbalogh,cn=users,dc=t-logic,C=HU: lookup failed: No results returned
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_unbind()
nslcd: [495cff] <authc="sbalogh"> DEBUG: myldap_search(base="cn=users,dc=t-logic,c=hu", filter="(&(objectClass=shadowAccount)(uid=sbalogh))")
nslcd: [495cff] <authc="sbalogh"> DEBUG: ldap_result(): uid=sbalogh,cn=users,dc=t-logic,C=HU

In case of loging in with sgsbind user, the latter bind is tried with sgsbind user wich works of course.


So the main problem is why is trying to bind with the user I am trying to login to my centos box and how can I disable this behaviour.

Looking for your kindly help.
Regards, Sandor

hunter86_bg
Posts: 1176
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: ssh with ldap authentication is not working well

Post by hunter86_bg » 2018/07/12 16:53:48

--ldapbasedn="dc=t-logic,c=hu"
Is this a typo or you really have c=hu instead of

Code: Select all

dc=hu

melak
Posts: 2
Joined: 2018/07/11 10:57:31

Re: ssh with ldap authentication is not working well

Post by melak » 2018/07/13 05:38:39

It's not a typo, c stands for country.

Yesterday I figured out what was the problem.
The wpsbind user is member of a group which has an ACL attached that allows the user to read and search the base dn.
The sbalogh user can connect to ldap, but is not able to read and search the base dn, it does not see it at all.
After attaching a correct ACL to the root of the base dn (c=hu) with read and search permissions for the group that sbalogh belongs to, pam_ldap succsessfully binds with sbalogh and so it authenticates it.

In later versions of CentOs and Rhel this worked without attaching ACL's, maybe because it was not a requirement to read/search the base dn.

Post Reply