You are not logged in.

#1 2013-04-09 21:58:13

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Arch and authorization over LDAP server

Hi. I am currently trying to get this thing working, all day and only errors. I will post some logs and files later, but I just wanted to ask now - have anyone got arch working with ldap_pam module? The ldap side is working, the system seems to understand when the username and password was correct, but wouldn't let me into system. After login, there is some traffic to the ldap server, but nothing, it still fails. I'm trying to use this package https://www.archlinux.org/packages/comm … pam-ldapd/ and messing around with settings under /etc/pam.d currently.
Ubuntu works fine, just tested Lubuntu and Mint clients and they login via ldap just without any problems. Ubuntu based clients can be configured by this guide easily http://askubuntu.com/questions/127389/h … dap-client . But the structure under /etc/pam.d is slightly different between arch and ubuntu. The wiki article seems to be greatly out of date too...
The server is running OpenLDAP (linux) and ubuntu/windows clients work, just haven't figured out where is the problem with arch.

Last edited by kellerman (2013-04-09 21:59:18)

Offline

#2 2013-04-10 08:46:59

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

Okay, I've gotten so far (let's say that base is 'dc=server,dc=mydomain' and server is 'server'):
-installing http://arthurdejong.org/nss-pam-ldapd/setup (nss-pam-ldapd package from core repo) and configuring it by the documentation

cat nslcd.conf
uri ldap://server
base dc=server,dc=mydomain
uid nslcd
gid nslcd
cat /etc/nsswitch.conf 
# Begin /etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap

publickey: files

hosts: files dns myhostname
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

# End /etc/nsswitch.conf

And then started and enabled nslcd via systemd. After reboot

getent passwd

and

sudo getent shadow

returns now also entries from the LDAP directory. One line looks approximately like this:

pdcadmin:*:2001:1902:PDC administrator user:/home/pdcadmin:/usr/sbin/nologin

There is no shell for LDAP users, but Ubuntu-like clients still work, only terminal sessions cannot be started.
So I figured, that I can connect to LDAP and after boot doing

sudo journalctl -b

I can see that nslcd connected to LDAP successfully. The magic starts with pam. The package above seems to have the pam_ldap module included and this is my modified /etc/pam.d/system-auth :

auth      required  pam_env.so
auth      sufficient  pam_unix.so    nullok
auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
auth      optional  pam_permit.so
account   required  pam_unix.so
account   sufficient  pam_ldap.so
account   optional  pam_permit.so
account   required  pam_time.so
password  required  pam_unix.so     nullok sha512 shadow
password  sufficient  pam_ldap.so   try_first_pass
password  optional  pam_permit.so
session   required  pam_limits.so
session   required  pam_env.so
session   required  pam_unix.so
session   optional    pam_ldap.so 
session   optional  pam_permit.so

I tried multiple variants of this and still can't login via LDAP, only locally. This must be a problem in pam configuration and the problem must not be big, probably a simple change somewhere in /etc/pam.d/* .
This is the journal of trying 2 correct login attempts as 'pdcadmin' and 2 incorrect login attempts as pdcadmin, then atfer that failed, logged in as local user 'user'.
This is the log for that situation, starting with dhcpcd getting network parameters http://pastebin.com/KnyUG8CN .
I also tried using lightdm over slim and nothing changed. For testing use clean arch install with LXDE if that matters.

Last edited by kellerman (2013-04-13 22:25:35)

Offline

#3 2013-04-13 22:24:06

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

I dont believe that there are no people that install arch at their office or work...
Well this isn't THAT important, currently I install Lubuntu on some older workstations, but Arch with LXDE runs best. And if I can't manage LDAP auth, then it's a no to Arch.

Offline

#4 2013-04-14 08:37:29

jacobopantoja
Member
From: Madrid
Registered: 2011-03-16
Posts: 44

Re: Arch and authorization over LDAP server

Hi kellerman,

Please be patient. May be there is not *so many* people using Arch for LDAP authentication.

kellerman wrote:

There is no shell for LDAP users, but Ubuntu-like clients still work, only terminal sessions cannot be started
....
I also tried using lightdm over slim and nothing changed. For testing use clean arch install with LXDE if that matters.

I guess that the Ubuntu-like clients are working with LightDM (default of Ubuntu since some releases ago). Try to copy/paste the relevant default config files from a Ubuntu install; if it does not work, it could be a problem with a package (e.g. the pam module), and then I suggest to test the latest development snapshots (you can have a different installation for test purposes for example). Another possibility is that a package was compiled without the appropriate LDAP support, but I don't know exactly which packages are involved there.

You can also surf through the man pages, since they are the info that the original devs wanted you to know. As I said, be patient and try to get it running.

kellerman wrote:

The wiki article seems to be greatly out of date too...

If you succeed, update the wiki so that other people can benefit from your experience. For me, that is the best way to collaborate with the Arch (and Linux) community. But it is only my opinion.

Offline

#5 2013-04-14 10:50:58

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

Thanks for reply. I'm patient, no problems with that! smile Just wondering if I'm not going the wrong way, so I can try some further experiments. And maybe there are better ways of debugging than just looking at the system journal.
Well the I tried both slim and lightdm, but it should login also by using at tty or terminal (it says: This account is currently not available for Ubuntu clients, which is correct).
I tried merging the configuration files at /etc/pam.d but I'm not sure if I have to modify only /etc/pam.d/system-auth or other files too at /etc/pam.d

jacobopantoja wrote:

If you succeed, update the wiki so that other people can benefit from your experience.

Sure, if I'll get it to work!

Also there are 2 variants of packages to install (I don't have any other packages installed for this purpose):

community/nss-pam-ldapd

or

extra/pam_ldap
extra/nss_ldap

Currently the most success I get with the first one.

Last edited by kellerman (2013-04-14 10:52:43)

Offline

#6 2013-07-08 01:07:20

walterjwhite
Member
Registered: 2011-05-01
Posts: 207

Re: Arch and authorization over LDAP server

Hi kellerman,

I was wondering if you had any success with LDAP authentication?  I cannot appear to even get nlscd contacting my ldap server.  Perhaps if I can get that part up and running, I can sort out the rest.

Walter

Offline

#7 2013-07-23 23:21:51

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

Yo, Mister White! smile

Sorry, but I didn't have any success with LDAP authentication and Arch, currently I'm using Zentyal 3.0 on my server and it handles Windows domain controller role very well, so I can simply use Likewise Open to join a domain. I join Ubuntu/Mint workstations so I decided not to mess with Arch LDAP authentication.

I won't remember well, but I messed a lot around pam-ldap settings. Maybe the problem was in LDAP server config or most probably client config, but it didn't work at all. I then just found out that debugging for this thing is incredibly hard.

Offline

#8 2013-08-17 23:00:55

LanManT
Member
From: USA
Registered: 2013-08-17
Posts: 8

Re: Arch and authorization over LDAP server

kellerman, did you ever get this solved.

LDAP is a must for any linux distro for me.

The wiki is so outdated and not complete, i am disappointed in arch for that

I too use ubuntu and debian for ldap servers and clients and the install using ldapd is flawless and simple. This not working however is a show stopper from running arch

I have followed the arch wiki as well as ldap documentation and this is just not working.

i am unable to even do a getent passwd to list my ldap accounts mad

Offline

#9 2013-08-17 23:03:18

LanManT
Member
From: USA
Registered: 2013-08-17
Posts: 8

Re: Arch and authorization over LDAP server

oh i see you gave up, well i will keep looking and put this on the back burner and go back to my debian workstation

Offline

#10 2013-08-19 15:38:48

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

Yep, I've given up, it was just too much time consuming.

Offline

#11 2013-09-01 06:48:25

LanManT
Member
From: USA
Registered: 2013-08-17
Posts: 8

Re: Arch and authorization over LDAP server

kellerman wrote:

Yep, I've given up, it was just too much time consuming.


i just found this which is the preferred method of configuring ldap, i have yet to try it but this is basically what i was looking for as is what i use for debian systems. the below should work....

https://www.archlinux.org/packages/?name=nss-pam-ldapd

http://arthurdejong.org/nss-pam-ldapd/docs.html

Last edited by LanManT (2013-09-01 07:48:45)

Offline

#12 2013-09-02 01:38:05

LanManT
Member
From: USA
Registered: 2013-08-17
Posts: 8

Re: Arch and authorization over LDAP server

LanManT wrote:
kellerman wrote:

Yep, I've given up, it was just too much time consuming.


i just found this which is the preferred method of configuring ldap, i have yet to try it but this is basically what i was looking for as is what i use for debian systems. the below should work....

https://www.archlinux.org/packages/?name=nss-pam-ldapd

http://arthurdejong.org/nss-pam-ldapd/docs.html


this was not correct and was the initial install packages, will try again at a later date.

Offline

#13 2013-09-04 14:24:54

kellerman
Member
From: Latvia
Registered: 2011-07-20
Posts: 104

Re: Arch and authorization over LDAP server

There are changes in OpenLDAP also. I have Zentyal 3.0 server in production and you no longer can bind as you used to.
I remember trying your second link, but I failed.

Now I simply use likewise-open and samba4 domain combined with openldap (by default in Zentyal 3.0). Joins great to domain. Havent tried with Arch, but it should be like 99% easier.

Last edited by kellerman (2013-09-04 14:26:17)

Offline

#14 2014-02-03 04:17:27

LanManT
Member
From: USA
Registered: 2013-08-17
Posts: 8

Re: Arch and authorization over LDAP server

I finally got back to this and found the LDAP client auth is working now per the instructions in the arch wiki

one thing i did notice. in my ldap.conf, i needed TLS_REQCERT allow added to search ldap.

and kellerman your nsswitch.conf should have files ldap all the way down, for all protocols

another note, at the time when i first posted it was not working i was using the SLiM greeter which might not support pam and ldap.

i have switched to lightdm and now i can login to openldap and fully test our archlinux.

Offline

Board footer

Powered by FluxBB