You are not logged in.

#1 2017-01-20 13:45:23

stewbond
Member
Registered: 2015-05-12
Posts: 32

Remote authentication

I have too many machines in my house and that makes changing passwords a pain because I then need to associate passwords to each machine in addition to each user.  The solution is to obviously centralize them.  I think I've got an openLDAP server working fine, but I am having a very hard time configuring the clients. 

For now, I just need this to work over the LAN (not even WLAN).  Therefore TLS isn't really necessary.  I'm trying to do a skeletal install and config of:
- OpenLDAP: A database used to store and query my user accounts and passwords
- NSS/PAM to replace the generic unix authentication with something to authenticate via LDAP.
- SSSD to provide PAM with an offline cache of authentication data in the case that my ldap server goes kaput or my network goes down.

I've spent the past few days reading man files and doing various portions of the following wiki pages.  Unfortunately the guide seems woefully inadequate and conflicts with itself frequenty (I've made comments in the discussion pages).
https://wiki.archlinux.org/index.php/OpenLDAP and https://wiki.archlinux.org/index.php/LD … entication

I've reduced these articles to what I think is the appropriate start-to-finish procedure that they are recommending, however it isn't working for me.  If I ignore the SSSD stuff, I can log-in as users from my LDAP database, use sudo, use su, but not use passwd (problem) or log-in without that server running (expected).  As soon as I also bring in SSSD, nothing works at all and I'm not sure how to debug since I can't even log in initially.  Any help would be appreciated.  I am running everything on virtual machines and connecting to them via ssh for now.

The reduced procedure is described below.  I've put all changes to the sync'd packages between bold tags (though it didn't render inside of the code tags as well as I would have liked).

Install Components:

pacman -S openldap nss-pam-ldapd sssd

Configure LDAP:

Ensure ldap.ferg.aero is in your hosts file, then modify

/etc/openldap/ldap.conf
BASE  		[b]dc=ferg,dc=aero[/b]
URI    		[b]ldap://ldap.ferg.aero[/b]
[b]TLS_REQCERT	allow[/b]
[b]sudoers_base 	ou=sudoers,dc=AFOLA[/b]

Configure NSS:

Edit

/etc/nsswitch.conf
passwd: compat mymachines systemd [b]sss[/b]
group: compat mymachines systemd [b]sss[/b]
shadow: compat [b]sss[/b]
[b]sudoers: compat sss[/b]

Edit:

/etc/nslcd.conf
---Not everything is shown---
uri	[b]ldap://ldap.ferg.aero/[/b]
base	[b]dc=ferg,dc=aero[/b]
---Not everything is shown---

Finally:

systemctl start nslcd.service
systemctl enable nslcd.service

Configure PAM

Edit

/etc/pam.d/system-auth
[b]auth      sufficient pam_sss.so     forward_pass[/b]
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

[b]account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so[/b]
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

[b]password sufficient pam_sss.so use_authtok[/b]
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
[b]session   optional  pam_sss.so[/b]
session   optional  pam_permit.so

Edit

/etc/pam.d/su

and

/etc/pam.d/su-l
#%PAM-1.0
[b]auth      sufficient    pam_ldap.so[/b]
auth      sufficient    pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth     sufficient    pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth     required      pam_wheel.so use_uid
auth      required	pam_unix.so [b]use_first_pass[/b]
[b]account   sufficient    pam_ldap.so[/b]
account   required	pam_unix.so
[b]session   required      pam_mkhomedir.so skel=/etc/skel umask=0022[/b]
[b]session   sufficient    pam_ldap.so[/b]
session   required	pam_unix.so

Edit

/etc/pam.d/passwd
#%PAM-1.0
[b]password        sufficient      pam_sss.so[/b]
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok

Edit

/etc/pam.d/system-login
---Not everything is shown---
session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so
[b]session    required   pam_mkhomedir.so skel=/etc/skel umask=0022[/b]

Configure SSSD

Create & Edit

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.ferg.aero
ldap_search_base = dc=ferg,dc=aero
ldap_tls_reqcert = allow
chpass_provider = ldap
ldap_chpass_uri = ldap://ldap.ferg.aero
entry_cache_timeout = 600
ldap_network_timeout = 2
ldap_group_member = uniquemember

Now set the permissions for that file:

chmod 600 /etc/sssd/sssd.conf

Edit

/etc/nscd.conf
---Not everything is shown---
	enable-cache		passwd		[b]no[/b]
	positive-time-to-live	passwd		600
	negative-time-to-live	passwd		20
	suggested-size		passwd		211
	check-files		passwd		yes
	persistent		passwd		yes
	shared			passwd		yes
	max-db-size		passwd		33554432
	auto-propagate		passwd		yes

	enable-cache		group		[b]no[/b]
	positive-time-to-live	group		3600
	negative-time-to-live	group		60
	suggested-size		group		211
	check-files		group		yes
	persistent		group		yes
	shared			group		yes
	max-db-size		group		33554432
	auto-propagate		group		yes
---Not everything is shown---

Then start the

sssd.service
systemctl start sssd.service
systemctl enable sssd.service

Offline

#2 2017-02-01 13:06:42

cafe
Member
Registered: 2014-03-20
Posts: 156

Re: Remote authentication

I'm struggling with the same problem here. There are some issues with the wiki page on those subjects. First of all, it sould be mentioned on the OpenLDAP page the setup required to get access controls that are presente in the LDAP Authentication page. Second, there is a clear conflict of configuration proposals when it comes to sssd / uncached nscld. I've noticed that the configuration proposed in the last section (sssd) breaks the login process like you mentioned.

About the cache settings in your /etc/nscd.conf
I've noticed that warning messages still appear if you disable only passd and groups. You should disable cache everywhere to get rid of warning messages in the journal when you start sssd.

With sssd working I can get user information using

# id username

but not using

# getent passwd

What I need right now is a way to test sssd like we test LDAP (with ldapsearch)

Offline

#3 2017-02-01 20:44:02

stewbond
Member
Registered: 2015-05-12
Posts: 32

Re: Remote authentication

I've found something quite interesting herre:
https://onemoretech.wordpress.com/2014/ … -on-linux/

Apparently LDAP will not allow a user to change passwd without TLS.  It's not stated in any error messages, nor on any wiki pages, but it seems to make sense.  In order to get passwd to work, you need to ensure that TLS is set up on your server.

Offline

Board footer

Powered by FluxBB