Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: LDAP users cannot log in unless they are local users as well

  1. #11
    Join Date
    Apr 2006
    Beans
    38
    Distro
    Kubuntu

    Re: LDAP users cannot log in unless they are local users as well

    Quote Originally Posted by apalacheno View Post
    Second, if "db" is put before "ldap", the clients always work with potentially aged data. If a user changes his password or an existing user is deleted (i.e. because he is leaving the company), this change isn't reflected on the clients until they update their local db. This is a potential security risk.
    If you can live with that, make sure that the clients fetch up-to-date data from the LDAP server every 30 or (maximum) 60 minutes. I can help you with a script that does that automatically.
    Is this still a problem if the Kerberos server still needs to be contacted for password authentication? I thought only the list of users/groups is what gets cached if I am using Kerberos for authentication and the password field in the LDAP entry is unused.

    I've written a simple crontab for updating the database every 30 minutes. Database corruption, however, is a problem. One I hadn't thought of...

    Quote Originally Posted by apalacheno View Post
    Is the LDAP server at the same site as your clients, or do LDAP queries have to travel over a WAN? How much time do manual LDAP queries need? Is there any noticeable delay? How do the clients connect to the LDAP server? Via IP address or is a name resolution at a DNS server necessary? This could be a bottleneck if the DNS server isn't configured correctly. Do you use LDAP with TLS (which is always recommended)? Try to temporarily disable any encryption and check if logon is faster.
    The LDAP server is at the same site, just a few doors away. Manual LDAP queries seem to take nearly no time at all, which is why I am confused about the lag issue. I *do* use the FQDN as the ldap uri, and that isn't necessary: the servers' IP addresses aren't likely to take too long. I'll try with one machine today, time permitting, with the IP address in the LDAP uri. I do use LDAP with TLS -- I can just tell the client not to use it when querying, that should work since I can run ldapsearch without TLS as well. Again, I'll see if I can actually test these configurations today.

    Quote Originally Posted by apalacheno View Post
    If all of the above is without usable results, you could set a timelimit in the client's ldap.conf to avoid too long delays (you can experiment with the timelimit values; 5 seconds should be reasonable in most cases).
    If the LDAP query takes longer than the time set in the timelimit option, the client falls back to the local "db". This way you may have both - short logon times and up-to-date user information, if time permits.

    Cheers,
    Robert
    That's a really good idea: my timelimit, and bind_timelimit, parameters are currently set at 120 so that's probably a tad high. These are the same setting as on the backup KDC/LDAP server, but I have seen none of these problems on that machine (it runs Fedora). That can probably be attributed to the fact that it can just consult itself for the needed information, however.


    Thanks,
    Yözen

  2. #12
    Join Date
    Nov 2006
    Beans
    83

    Re: LDAP users cannot log in unless they are local users as well

    AFAIK all credentials needed for login get cached. You can test that by booting your machine with the network cable unplugged. Using cached credentials, you still can login (that's the point of cached credentials), but you don't get a Kerberos ticket.

    Let me know how your tests turn out!

  3. #13
    Join Date
    Apr 2006
    Beans
    38
    Distro
    Kubuntu

    Re: LDAP users cannot log in unless they are local users as well

    RE: cached login credentials -> Got it, that makes perfect sense.

    OK, so thanks to your help, I have narrowed down the problem to libnss-ldap and OpenSSL.

    Here's the run-down. If I have ssl start_tls enabled in /etc/ldap.conf, I get messages on the client side saying that nss_ldap could not connect to the ldap server. On the server side, I get messages saying "unable to get TLS client DN". Looks like that last message is a pretty heavily searched term, and there's even a thread in the ubuntu forums asking about it which went unanswered. (Doesn't look too good for me).

    *However*, using ldapsearch with the -ZZ option works just fine: no error messages like the above on either client, nor server. Something must be going wrong with how nss_ldap uses the certificate file, and I don't know what, or how to go about fixing that.

    Until I figure out what might be wrong there, I'll have to stick to my old, potentially insecure, configuration for the time being.

    Any ideas, Robert?

    Thanks,
    Yözen

    Edit:
    Forgot to mention: running nss_updatedb works fine, but I get the error message on the server side only. Logging in with the same configurations causes the error messages on both sides as explained above.
    Last edited by PatheticMoFo; September 9th, 2009 at 09:53 PM. Reason: Added extra info.

  4. #14
    Join Date
    Nov 2006
    Beans
    83

    Re: LDAP users cannot log in unless they are local users as well

    Hi Yözen,
    that may be a shot right out into the blue, but do you have the option TLS_REQCERT in /etc/ldap/ldap.conf set to "demand"|"hard" or to "allow"? Try "allow" for instance. I remember vaguely having read something about hiccups with gnutls and self-signed certificates.

    Concerning the login delay, it crossed my mind that you should have "bind_policy" set to "soft" in /etc/ldap.conf. But I don't expect that will help much in your case anyway.

    Would you mind posting your /etc/ldap.conf and /etc/ldap/ldap.conf? I'd like to reconstruct your settings (as time permits) and test it here locally.

    Cheers,
    Robert

  5. #15
    Join Date
    Apr 2006
    Beans
    38
    Distro
    Kubuntu

    Re: LDAP users cannot log in unless they are local users as well

    Hey Robert,

    Nope, I haven't defined TLS_REQCERT, so it must be on the default "demand". Sure, I'll try using "allow", but this would probably only get rid of the client side-issues, so if there really is something going on in the server side that is preventing the setup from working properly, it might not fix it. Of course, I will try it anyway in case I'm wrong.

    Oh, bind_policy is set to "soft" already. I've read about "hard" causing some pretty bad issues.

    You got it, I'll post both files. If you don't mind, I'll remove the references to the server hostnames

    Thanks,
    Yözen

    Attachments Note:
    ldap.conf.txt -> /etc/ldap.conf
    ldap_ldap.conf.txt -> /etc/ldap/ldap.conf
    In this file, have not yet added TLS_REQCERT "allow"
    Attached Files Attached Files

  6. #16
    Join Date
    Nov 2006
    Beans
    83

    Re: LDAP users cannot log in unless they are local users as well

    Thanks Yözen. Gimme some time to implement a test environment with your settings. It may take a few days. I'll reply as soon as I'm done.

    Have a nice weekend meanwhile!

  7. #17
    Join Date
    Apr 2006
    Beans
    38
    Distro
    Kubuntu

    Re: LDAP users cannot log in unless they are local users as well

    Quote Originally Posted by apalacheno View Post
    Thanks Yözen. Gimme some time to implement a test environment with your settings. It may take a few days. I'll reply as soon as I'm done.

    Have a nice weekend meanwhile!
    Sure, no rush. Thanks a lot for the help!

    You have a nice weekend too!

  8. #18
    Join Date
    Nov 2006
    Beans
    83

    Re: LDAP users cannot log in unless they are local users as well

    Hey,
    sorry for the long delay, it was a busy week.

    Looking at your /etc/ldap.conf I see that the following lines are missing:

    Code:
    nss_base_passwd			ou=users,dc=removed,dc=com?one
    nss_base_group			ou=groups,dc=removed,dc=com?one
    They should point to the actual ou of your users and groups. What I also noticed is your use of the use_sasl and rootuse_sasl options. Adding these to my config, the login took significantly longer. I'm not using them though, and to be honest I have no idea what they actually do. It works nevertheless.

    Also, check your TLS_CACERT and TLS_CACERTDIR options in /etc/ldap/ldap.conf. I'm not sure about this, but I think you have to decide for one, not use both. And since you use a backup server, you'd likely want to go for TLS_CACERTDIR.

    Here's my config that works without problems:

    /etc/ldap.conf:

    Code:
    # Pre-configured values
    base				dc=removed,dc=com
    uri				ldap://masterldap.removed.com
    ldap_version			3
    pam_password			md5
    
    # Own settings
    ssl				start_tls
    tls_checkpeer			yes
    bind_policy			soft
    nss_base_passwd			ou=users,dc=removed,dc=com?one
    nss_base_group			ou=groups,dc=removed,dc=com?one
    nss_initgroups_ignoreusers	avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,polkituser,proxy,pulse,root,saned,sync,sys,syslog,uucp,vboxadd,www-data
    /etc/ldap/ldap.conf:

    Code:
    BASE		dc=removed,dc=com
    URI		ldap://masterldap.removed.com
    TLS_REQCERT	demand
    TLS_CACERT      /usr/share/ca-certificates/cacert_home.crt
    If you still have problems, I'd guess there's something wrong with the certificates. How did you add your certs to your LDAP server? And does the LDAP server cert's common name match exactly your LDAP URI, in this case masterldap.removed.com? You'd need a separate certificate for your LDAP backup server as well.

    Hm, that's all that comes to my mind for now. Hope it is of some use for you!

    Cheers,
    Robert

  9. #19
    Join Date
    Sep 2009
    Beans
    1

    Re: LDAP users cannot log in unless they are local users as well

    Please,

    Have a look at

    http://www.linux-mag.com/id/4738

    and

    http://www.linux-mag.com/id/4765

    I've followed the instructions described there and sso ldap authentication worked fine width ssh.

    My server and clients are ubuntu 9.04.


    Carlos

  10. #20
    Join Date
    Apr 2006
    Beans
    38
    Distro
    Kubuntu

    Re: LDAP users cannot log in unless they are local users as well

    Thanks for your responses, guys. I will try out Robert's suggestions first, but I will look at the two articles you've posted Carlos, thanks.

    @ Robert,
    The use_sasl and rootuse_sasl options came from this page:
    https://www-s.acm.uiuc.edu/wiki/spac...+Fedora+Core+6
    I just used them to try them out, but if you say log in time went up, I should really get rid of them! TLS_CACERTDIR was actually added automatically for me, I never added it myself! I was only using TLC_CACERT, but everytime I remove TLS_CACERTDIR it seems to spontaneously reappear.

    Also, in regards to having a separate certificate for my backup LDAP server, according to this page:
    http://www-theorie.physik.unizh.ch/~...sl_certificate
    I just have to tweak a setting in my openssl.conf file, subjectAltName, so that I can use just one certificate.


    Thanks, all. I'll let you know how it goes.
    Last edited by PatheticMoFo; September 28th, 2009 at 08:31 PM. Reason: Corrected URL

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •