From Fedora Project Wiki

Description

Use nss-pam-ldapd to gain access to trusted domain users

Setup

  1. Make sure your FreeIPA server is set up as in QA:Testcase_freeipa_trust_establish.
  2. Make sure nss-pam-ldapd is installed. This test uses RHEL-6.3 as an example, but the steps should be similar for other distribution or OS

How to test

Add test users and groups on the IPA server

When testing the legacy client, we will begin by creating a user and a group he is a member of on the server first to establish a baseline.

$ kinit admin
$ ipa user-add --first=test --last=user tuser
$ ipa group-add --desc="test group" tgroup
$ ipa group-add-member --users=tuser tgroup

Also set some password for the newly created user so that we can log in using his credentials.

$ ipa passwd tuser

Install required packages

The package installation step differs for every OS or distribution. For nss-pam-ldapd, simply install the packages using yum:

 # yum install nss-pam-ldapd pam_ldap authconfig

The authconfig utility will help us configure the PAM stack.

Configure nss-pam-ldapd and pam_ldap

Next the nss-pam-ldapd needs to be configured. The configuration will point to a "compat tree" which is a parallel LDAP tree autogenerated from the main tree and tailored so that it matches the expectations legacy clients might have. The configuration includes two important items:

  1. LDAP URI - The URI is simply the host name of the IPA server prefixed with ldap://. For example, if the hostname was srv.ipa.example.org, then the URI would be ldap://srv.ipa.example.org
  2. LDAP search base - The LDAP search base we need consists of the base DN prefixed with "cn=compat", which is the container the compat tree lives in. To get the base DN, take the IPA domain name and substitute each dot for a "dc=". For example, the IPA domain ipa.example.org would yield base DN dc=ipa,dc=example,dc=org. The full search base you want to use would then be cn=compat,dc=ipa,dc=example,dc=org

Using authconfig

Configuring the system to authenticate with IPA using authconfig is a matter of one shell command once you know the LDAP URI and the search base.

authconfig --updateall --enableldap --enableldapauth \
           --ldapserver=ldap://srv.ipa.example.org \
           --ldapbasedn=cn=compat,dc=ipa,dc=example,dc=com

Manually

On systems without a helper tool such as authconfig, one needs to configure the client system manually. The configuration involves several steps:

Linux

1. configure nsswitch.conf - append ldap to the lines beginning with passwd and group.

passwd:     files ldap
group:      files ldap

2. configure PAM - configuring the PAM stack differs on particular distributions. The resulting PAM stack should look like this one:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

3. configure nslcd.conf - The nslcd.conf config file can be pretty minimal. It just needs to include the LDAP URI and search base:

uri ldap://ipaserver.ipatest.example.com
base cn=compat,dc=ipatest,dc=example,dc=com

4. configure pam_ldap.conf - The pam_ldap.conf config file looks quite similar to nslcd.conf. Its minimal contents also only include the LDAP URI and the search base:

uri ldap://ipaserver.ipatest.example.com
base cn=compat,dc=ipatest,dc=example,dc=com
FreeBSD

Following instructions were created using FreeBSD 9.1.

1. Install nss-pam-ldapd package. This will pull in other packages as well. We also need curl to fetch IPA master certificate:

pkg_add -r nss-pam-ldapd
pkg_add -r curl

2. Configure /etc/nsswitch.conf:

group: files ldap
passwd: files ldap

3. Configure PAM stack. Since it is done separately for each application in FreeBSD by default, we change only sshd for the test:

#
# $FreeBSD: release/9.1.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

4. Add automated start of nslcd to /etc/rc.conf:

nslcd_enable="YES"
nslcd_debug="NO"

5. Add configuration for nslcd to /usr/local/etc/nslcd.conf, by copying /usr/local/etc/nslcd.conf.sample and changing following parameters:

uri ldap://ipaserver.ipatest.example.com
base cn=compat,dc=ipatest,dc=example,dc=com
scope sub
base group cn=groups,cn=compat,dc=ipatest,dc=example,dc=com
base passwd cn=users,cn=compat,dc=ipatest,dc=example,dc=com
base shadow cn=users,cn=compat,dc=ipatest,dc=example,dc=com
ssl start_tls
tls_cacertfile /usr/local/etc/ipatest.crt

6. Add partial set from above to /usr/local/etc/ldap.conf, for basic ldap libraries, note difference with tls_cacert:

uri ldap://ipaserver.ipatest.example.com
base cn=compat,dc=ipatest,dc=example,dc=com
ssl start_tls
tls_cacert /usr/local/etc/ipatest.crt

7. Fetch IPA certificate:

curl -k https://ipatest.example.com/ipa/config/ca.cert > /usr/local/etc/ipatest.crt

8. Start nslcd:

/usr/local/etc/rc.d/nslcd start

Identity lookups of IPA users and groups

Try to request data about the user that was created on the start of this test:

$ getent passwd tuser
$ getent group tgroup
$ id tuser

The commands above should reflect that tuser is member of tgroup.

Authentication as IPA user

This testcase currently does not work due to referral returned from the server.

ssh client.example.org -l tuser

The error you would see would be similar to:

pam_ldap: error trying to bind as user "uid=tuser,cn=users,cn=compat,dc=ipatest,dc=example,dc=com" (Referral)

Identity lookups of trusted users and groups

When requesting the user from a trusted domain, the username must be fully qualified in the form of username@ad-domain. Additionaly, to conform with nss-pam-ldapd limitation, the username and domain name must be lowercased to match the name in the compat tree with respect to case.

To request a from the trusted domain:

$ getent passwd administrator@ad.example.org

Authentication as trusted user

Again, the username must be fully qualified and lowercased:

ssh client.example.org -l administrator@ad.example.org

Note also that for FreeBSD test user names must be less than 16 characters long or actual log-in will not succeed. This is due to http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 which is still not fixed in FreeBSD 9.1. It is recommended to create a user in Active Directory with a short name so that total name length, including the realm, will not be greater than 16 characters. For example, user@example.com is 16 characters long.

Expected Results

Both users from the IPA domain and the trusted domain should be able to log in.