Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support building a user DN from a template #37

Open
f-b-e opened this issue Sep 12, 2019 · 5 comments
Open

Support building a user DN from a template #37

f-b-e opened this issue Sep 12, 2019 · 5 comments
Assignees
@f-b-e
Labels
enhancement

Comments

@f-b-e
Copy link

f-b-e commented Sep 12, 2019

Hi,

I am trying to use the simple bind method for authentication of users.
To illustrate my need, please have a look to https://help.fortinet.com/fadc/4-8-0/olh/Content/FortiADC/handbook/remote_ldap_server.htm.

I can not figure out how to do it and from my understanding of the code and the debug log I get from my trials, I think this is not supported.

Is it possible to add the support ?

Thanks for your future answers.
@arthurdejong
Copy link
Owner

The nslcd daemon will use a simple BIND request by default for user authentication when the PAM module is used. The debug log should contain something like:

nslcd: [efd79f] <authc="arthur"> DEBUG: nslcd_pam_authc("arthur","gdm-password","***")
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=arthur))")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_result(): uid=arthur,ou=people,dc=example,dc=com
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="uid=arthur,ou=people,dc=example,dc=com", filter="(objectClass=*)")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_initialize(ldaps://192.168.1.1/)
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_sasl_bind("uid=arthur,ou=people,dc=example,dc=com","***") (uri="ldaps://192.168.12.1/") (ppolicy=yes)
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_unbind()
nslcd: [efd79f] <authc="arthur"> DEBUG: bind successful
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=shadowAccount)(uid=arthur))")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_result(): uid=arthur,ou=people,dc=example,dc=com

While it uses the ldap_sasl_bind() function, the BIND operation to the server should be a simple bind with just a DN and a password.

Please provide more details.

@f-b-e
Copy link
Author

f-b-e commented Sep 24, 2019

Hi, Thanks for your reply.

Below is my configuration file.

log /var/log/nslcd.log debug

uid nslcd
gid nslcd

uri ldap://10.1.1.254
base dc=example,dc=local
ldap_version 3
nss_uid_offset 1000
nss_gid_offset 1000

base passwd ou=Accounts,dc=example,dc=local
filter passwd (objectClass=user)
map passwd uid sAMAccountName
map passwd gecos displayName
map passwd loginShell "/bin/bash"
map passwd homeDirectory "/home/${sAMAccountName}"
map passwd uidNumber objectSid:<...>
map passwd gidNumber objectSid:<...>

base shadow ou=Accounts,dc=example,dc=local
filter passwd (objectClass=user)
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet

base group ou=Groups,dc=example,dc=local
filter  group (objectClass=group)
map group userPassword ""
map group cn sAMAccountName
map group gidNumber objectSid:<...>

Below is the log

nslcd: [8b4567] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [8b4567] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=com", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_initialize(ldap://10.1.1.254)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.1.1.254")
nslcd: [8b4567] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [7b23c6] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_initialize(ldap://10.1.1.254)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.1.1.254")
nslcd: [7b23c6] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [3c9869] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [3c9869] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [3c9869] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [334873] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [334873] <authc="jsnow"> DEBUG: nslcd_pam_authc("jsnow","sshd","***")
nslcd: [334873] <authc="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [334873] <authc="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [334873] <authc="jsnow"> DEBUG: "jsnow": user not found: Operations error

If I add the binddn and bindpw to my configuration this works properly.
With simple bind method, I removed binddn and bindpw from the configuration as it should use the one of the user trying to connect.

Maybe I am mistaken with the configuration.

@arthurdejong
Copy link
Owner

The binddn and bindpw options are needed for your LDAP server for name lookups to work. This is what the "Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580" error is about. You probably need to add a role account to your LDAP server that will be used for all name lookups.

These name lookups are not tied to any particular system user because they are carried out before authentication. The first search that is done in the authc request is also a name lookup to translate the username into a user DN that can be used in the subsequent BIND operation.

@f-b-e
Copy link
Author

f-b-e commented Sep 25, 2019

You confirm what I understood from the source code:

  • bind with binddn and bindpw from the configuration
  • search the user and get its DN from user name (validate_user + myldap_get_dn)
  • bind simple with the user DN, username and password (try_bind)

Tell me if I am wrong but, from my understanding this behavior corresponds to the regular bind method:

Will it be possible to make the first bind with the credentials of the user which is trying to login ?
To do it, we shall have the ability to build the DN from the username. It implies to have all users located in the same branch.

@arthurdejong
Copy link
Owner

Will it be possible to make the first bind with the credentials of the user which is trying to login ?
To do it, we shall have the ability to build the DN from the username.

While in theory this could be implemented, I don't think this will work for normal system account authentication because almost every PAM stack will lookup the user (the <passwd="jsnow"> requests) before attempting authentication. This means that user information needs to be retrieved from the LDAP server before the password is sent to the PAM module.

One scenario where this perhaps could work is when the LDAP users already exist in /etc/passwd.

@arthurdejong arthurdejong changed the title LDAP simple bind method Support building a user DN from a template Sep 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-b-e f-b-e

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arthurdejong @f-b-e