# Help with LDAP



## VampirD (Dec 11, 2012)

I need some help, I have installed a FreeBSD 9.0 x86_64 with openldap, also I have installed mediawiki and owncloud with ldap authentication, all works OK, so I decided to setup the system authentication to ldap, ssh and system.

I setup PAM, but when I try to login I get:

```
Password: 
Permission denied (publickey,keyboard-interactive).
```

my files are:

/usr/local/etc/openldap/slapd.conf

```
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

password-hash   {md5}
allow bind_v2

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
# moduleload    back_hdb
# moduleload    back_ldap

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=mydomain,dc=com,dc=uy"
rootdn          "cn=Manager,dc=mydomain,dc=com,dc=uy"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq

TLSCipherSuite   HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile    /usr/local/etc/openldap/ca.crt

rootpw {MD5}somehash
```

/usr/local/etc/openldap/ldap.conf

```
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=mydomain,dc=com,dc=uy
URI     ldap:// ldaps://

SIZELIMIT       12
TIMELIMIT       15
#DEREF          never
TLSCACertificateFile    /usr/local/etc/openldap/ca.crt 
TLSCipherSuite   HIGH:MEDIUM:+SSLv3
TLS_REQCERT never

#tls_checkpeer no
```

/usr/local/etc/nss_ldap.conf
/usr/local/etc/ldap.conf

```
# LDAP client config
host                    127.0.0.1
uri                     ldaps://127.0.0.1/
base                    dc=mydomain,dc=com,dc=uy
port                    636
binddn                  cn=Manager,dc=mydomain,dc=com,dc=uy
bindpw                  ArI!2011
#timeout stuff
timelimit               10
bind_timelimit          5
bind_policy             soft
#nss/pam stuff
#nss_base_passwd                ou=staff,dc=something,dc=net
#nss_base_group         cn=tech,ou=groups,ou=staff,dc=something,dc=net
pam_password            exop
pam_filter              objectclass=person
pam_check_host_attr     yes
pam_login_attribute     uid:caseExactMatch:
pam_member_attribute    memberUid

#ssl start_tls
tls_checkpeer no
#tls_ciphers HIGH:MEDIUM:+SSLv3
TLS_CACERT usr/local/etc/openldap/ca.crt
```

/etc/pamd.d/sshd

```
#
# $FreeBSD: release/9.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_unix.so             no_warn try_first_pass
#auth           required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so
#account         required      /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so
session         required       /usr/local/lib/pam_mkhomedir.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

On the auth.log file I get:


```
Dec 11 09:30:14 devilette sshd[16865]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Dec 11 09:30:14 devilette sshd[16865]: nss_ldap: reconnected to LDAP server ldaps://127.0.0.1/
Dec 11 09:30:14 devilette sshd[16865]: Invalid user leki from 201.217.132.98
Dec 11 09:30:17 devilette sshd[16867]: pam_ldap: error trying to bind as user "cn=leki,dc=mydomain,dc=com,dc=uy" (Invalid credentials)
Dec 11 09:30:17 devilette sshd[16865]: error: PAM: user account has expired for illegal user leki from mail.goldfarb.com.uy
Dec 11 09:30:17 devilette sshd[16865]: Failed keyboard-interactive/pam for invalid user leki from 201.217.132.98 port 33485 ssh2
```

I also post here the resul of ldapsearch -Z

```
ldap_start_tls: Operations error (1)
        additional info: TLS already started
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=com,dc=uy> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# mydomain.com.uy
dn: dc=mydomain,dc=com,dc=uy
objectClass: dcObject
objectClass: organization
o: mydomain
dc: mydomain

# Manager, mydomain.com.uy
dn: cn=Manager,dc=mydomain,dc=com,dc=uy
objectClass: organizationalRole
cn: Manager

# leki, mydomain.com.uy
dn: cn=leki,dc=mydomain,dc=com,dc=uy
cn: leki
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: Leki
uid: leki
userPassword:: ZGFyazEyMw==

# search result
search: 3
result: 0 Success

# numResponses: 5
# numEntries: 4
```


----------



## SirDice (Dec 11, 2012)

VampirD said:
			
		

> ```
> Dec 11 09:30:17 devilette sshd[16865]: error: PAM: user account has expired for illegal user leki from mail.goldfarb.com.uy
> ```


The account is expired.



> I also post here the result of ldapsearch -Z
> 
> ```
> userPassword:: ZGFyazEyMw==
> ```


You will want to add an ACL to LDAP so nobody can get the passwords.


----------



## VampirD (Dec 11, 2012)

I don't get it how to solve it T_T


----------



## Crest (Dec 12, 2012)

"dark123" is a too trivial password. Did you add nss_ldap to the /etc/nsswitch.conf?


----------

