Re: openldap-2.4.32 su-ok, rlogin-fails

[Joe Phan <joeanhphan@yahoo.com>]

Hi Doug,

Thank you so much for your help.  With your questions, I double checked credential levels and authentication methods, and luckily, I found the solution for my problem.

Error recap: On the Client Machine, when su from one user to another, /var/log/authlog shows the following error:

Mar 22 09:03:53 apggd08dev login: [ID 316739 auth.error] pam_ldap: no legal authentication method configured

Solution: Reconfigure Client again using credentialLevel and serviceAuthenticationMethod attributes.

apggd08dev# ldapclient -v manual -a defaultsearchbase=dc=pg,dc=dtveng,dc=net \
> -a domainname=pg.dtveng.net \
> -a credentialLevel=anonymous \
> -a serviceAuthenticationMethod=pam_ldap:simple xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is LDAP server IP.

Now, I am able to rlogin/telnet/ssh to the client machine (Native Solaris LDAP Client) using a user account defined from LDAP Server.  "su" from from one user to another also works well.

Thanks,

Joe

 

---

From: Doug Leavitt <doug.leavitt@oracle.com>
To: Joe Phan <joeanhphan@yahoo.com>
Sent: Wednesday, March 20, 2013 12:20 PM
Subject: Re: openldap-2.4.32 su-ok, rlogin-fails

No.  SSL is not required for authentication.  But if you are using pam_ldap
without SSL, your passwords are sent over TCP/IP in the clear.

Alternatively you can use pam_unix authentication and have the password
hashes sent over the wire (like in NIS) and have the unix client do the authentication.

This usually requires that you store the passwords in the LDAP server in {crypt} format.



On 03/20/13 14:07, Joe Phan wrote:

Hi Doug,

Do you know if it is required to have SSL for authentication?  In other word, do I need to configure SSL Tunnel?
Do I need to change pam.conf on LDAP Server?

Link: http://www.softpanorama.info/Net/Directories/ldap.shtml
"Because our LDAP service requires SSL connections before allowing authentication, it is necessary to connect to the LDAP server using SSL"

Thanks,

Joe

---

From: Doug Leavitt <doug.leavitt@oracle.com>
To: Joe Phan <joeanhphan@yahoo.com>
Sent: Tuesday, March 19, 2013 3:08 PM
Subject: Re: openldap-2.4.32 su-ok, rlogin-fails

You probably need to correct your pam settings in pam.conf.
See the pam_ldap man page for more details.  I suspect you
need to change the setting to look more like this:
       # Authentication management for login service is stacked.
       # If pam_unix_auth succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_auth.so.1 to ignore the LDAP users.

       login   auth requisite  pam_authtok_get.so.1
       login   auth required   pam_dhkeys.so.1
       login   auth required   pam_unix_cred.so.1
       login   auth binding    pam_unix_auth.so.1 server_policy
       login   auth required   pam_ldap.so.1

If your system is set up for anonymous connections may or may not
be an issue depending on your servers acl setups.

I am referring to the configuration supplied into ldapclient (aka what is in
/var/ldap/ldap_client_file, and presumably ldap_cred_file is you have bind
credentials into the ldap server).

When we setup DSEE servers we usually recommend at least proxy
credentials and at least simple bind, or more depending on your security
needs.  Your needs may vary.

Doug.

On 03/19/13 15:32, Joe Phan wrote:

Hi Doug,

Thank you for looking at this.

apggd08dev# ldaplist -l passwd jphan
dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net
        objectClass: top
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: posixGroup
        cn: jphan
        uid: jphan
        uidNumber: 2003
        gidNumber: 203
        homeDirectory: /export/home/jphan
        loginShell: /usr/bin/csh
        gecos: Joe Phan 310-964-4125
        shadowLastChange: 0
        shadowMax: 0
        shadowWarning: 0
        userPassword: {SSHA}/...

Also how is your system configured w.r.t anonymous connections?  <== Yes, I believed that I configured the system for anonymous connections.  Do you know how to verify it?
What are you credential levels and authentication methods being used in your configuration?  <== Not sure about credential levels; I am using PAM for authentication.  At the beginning, I don't have SASL/TLS.

Sorry for unclear answers if existed, b/c I am new to LDAP and PAM.

Please show me where or which area I should verify the system.

Thank you so much,

Joe Phan

---

From: Doug Leavitt <doug.leavitt@oracle.com>
To: Joe Phan <joeanhphan@yahoo.com>
Sent: Tuesday, March 19, 2013 12:27 PM
Subject: Re: openldap-2.4.32 su-ok, rlogin-fails

What happens if you try:

ldaplist -l passwd jphan

Also how is your system configured w.r.t anonymous connections?
What are you credential levels and authentication methods being used
in your configuration?


Doug.

On 03/18/13 19:01, Joe Phan wrote:

Hi, 

I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10.  Adding users/groups to LDAP Server seems to be ok.

From a second machine, I configured it to be LDAP Client using command "ldapclient  manual -v  -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16".  It was successful.  /var/ldap/ldap_client_file contains appropriate LDAP Server information.

Openldap-2.4.32 is not installed on the Client Machine.

I updated PAM configuration on Client Machine for su and rlogin, results are listed below:

- rlogin into Client Machine using root - OK

- rlogin into Client Machine using "jphan" user - Fails

- After login to Client Machine as root, su from root to "jphan" user - OK  (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)

- From "jphan" user, su to another user - Fails

Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct.

Please let me know if there is anything missing from my setup.

Do I need to configure pam.conf on LDAP Server machine as well?

Any help is greatly appreciated.
Best regards,
Joe Phan

Downloaded and installed following packages from SunFreeWare.com to LDAP Server:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz

Client Machine configuration:

- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap

- /etc/pam.conf:

apggd08dev# more pam.conf
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
#login  auth required           pam_unix_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1 debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
#rlogin  auth required           pam_unix_auth.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 debug
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
#ppp     auth required           pam_unix_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1 debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
#other  auth required           pam_unix_auth.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
#passwd auth required           pam_passwd_auth.so.1
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1 debug
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

jphan user info:

apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan'
# extended LDIF
#
# LDAPv3
# base <dc=pg,dc=dtveng,dc=net> with scope subtree
# filter: uid=jphan
# requesting: ALL
#

# jphan, people, pg.dtveng.net
dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: posixGroup
cn: jphan
uid: jphan
uidNumber: 2003
gidNumber: 203
homeDirectory: /export/home/jphan
loginShell: /usr/bin/csh
gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA==
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: ....=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1