# openLDAP Client/Server



## ogosselin (Jan 5, 2022)

Hi guys,
I'm trying to connect from SSH to client with an account OpenLDAP but nothing work.

OS : FreeBSD 12.2-RELEASE-p7

From Client # id user
> It Works

# getent passwd
> It Works

Connection seems like good
# openssl s_client -connect MyLDAPServer:636
> It Works

But I can't connect from SSH with an LDAP Login. (UNIX authentication refused)

Can you help me ?

Thank you,
Regards,


----------



## SirDice (Jan 5, 2022)

Please don't post pictures of text. They're impossible to copy/paste or quote from.


----------



## SirDice (Jan 5, 2022)

ogosselin said:


> From Client # id user
> > It Works
> 
> # getent passwd
> > It Works


This just means /etc/nsswitch.conf is working correctly. Doesn't mean your PAM configuration is correct. Check your /var/log/auth.log.


----------



## ogosselin (Jan 6, 2022)

SirDice said:


> This just means /etc/nsswitch.conf is working correctly. Doesn't mean your PAM configuration is correct. Check your /var/log/auth.log.



Ok, thank you.

I check log when I'm trying to connect to this server. And this is the output : 

Jan  6 09:14:07 ns-prod-grav7-01 sshd[2702]: nss_ldap: failed to bind to LDAP server ldap://<IPofLDAPServer>: Can't contact LDAP server
Jan  6 09:14:07 ns-prod-grav7-01 sshd[2702]: nss_ldap: reconnected to LDAP server ldaps://<FQDNofLDAPServerWithoutPort>/
Jan  6 09:14:18 ns-prod-grav7-01 sshd[2704]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan  6 09:14:18 ns-prod-grav7-01 sshd[2704]: pam_ldap: reconnecting to LDAP server...
Jan  6 09:14:18 ns-prod-grav7-01 sshd[2704]: pam_ldap: ldap_simple_bind Can't contact LDAP server

What do you recommend to check inside my configuration ? Which file do I need to modify ?
I'm lost, I did too many test 

Thank you,
Regards,


----------



## ogosselin (Jan 6, 2022)

I changed some parameters inside nss_ldap.conf

But I've same issue on /var/log/auth.log :
Jan  6 10:09:24 ns-prod-grav7-01 sshd[3042]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan  6 10:09:24 ns-prod-grav7-01 sshd[3042]: pam_ldap: reconnecting to LDAP server...
Jan  6 10:09:24 ns-prod-grav7-01 sshd[3042]: pam_ldap: ldap_simple_bind Can't contact LDAP server


----------



## ogosselin (Jan 6, 2022)

Finaly, after check the configuration I solved this issue.

Thank you


----------



## SirDice (Jan 6, 2022)

What was set wrongly? Don't need to know the exact details, just some hints for the next person that finds this thread.


----------



## ogosselin (Jan 8, 2022)

Hi,
I made some change on the client side.
- I had both certicate server on the client (cert and ca not the key)
- I changed some setting on /usr/local/etc/nss_ldap.conf and /usr/local/etc/ldap.conf as well

```
host <FQDNserver>
add comments to uri, binddn, bindpw, rootbinddn
bind_policy soft
ssl yes
tls_cacertfile <path to ca cert>
tls_cacertdir <path all ca>
tls_checkpeer yes
TLS_REQCERT allow
```

I don't finish my troubleshoot because I've some errors when I would like to modify my ldap server

```
ldap_add: Insufficient access (50)
```
I'd like to add the ability to store ssh key client with openssh-lpk.ldif

And when I'm login with an ldap account the first message is error but it works to log with LDAP

```
UNIX authentication refused
```

Do you have idea about these errors ?

Thank you,
Regards,


----------



## ogosselin (Jan 9, 2022)

Hi,
I add the configuration for file  /etc/pam.d/sshd. "UNIX authentication refused" is solved. But do you have an idea about the error when I'd like to add something in the schema ?


```
ldap_add: Insufficient access (50)
```

file : /etc/pam.d/sshd

```
#
# $FreeBSD: releng/12.2/lib/libpam/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient        pam_unix.so             no_warn nulllok try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      use_first_pass

# account
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail

# session
session         required        pam_permit.so
session         required       /usr/local/lib/pam_mkhomedir.so
session         optional      /usr/local/lib/pam_ldap.so

# password
password    sufficient    /usr/local/lib/pam_ldap.so    use_authok
password        required        pam_unix.so             no_warn try_first_pass
```


----------



## ogosselin (Jan 10, 2022)

Hi,
I didn't find anything about this error. Someone can help me ? I'm using rootdn configuring in the file /usr/local/etc/openldap/slapd.conf on my ldap server to import ldif information.

```
ldap_add: Insufficient access (50)
```

I have the same error if I'd like to import ldif with php ldap admin.

Thank you,
Regards,


----------



## SirDice (Jan 10, 2022)

Did you set an ACL on LDAP? Those can be quite tricky to set up correctly, most of the examples I've seen on the internet are severely broken and don't work as expected. I do recommend setting up ACLs in LDAP or else anyone with access is able to read all the (hashed) passwords. But this is quite an undertaking to do correctly.


----------



## ogosselin (Jan 10, 2022)

No, I didn't set an ACL. I read some example as well but they didn't work fine. 

Ok, I'll search in this way. Thank you


----------



## ogosselin (Jan 12, 2022)

I'm using rootdn account but I've the same behaviour. Insufficient access. ..

Someone can help me ? Because I assume rootdn can do anything, isn't it ?

Thank you,
Regards,


----------

