SOLVED LDAP for UNIX users

[Oko]

The work in my Lab revolves around traditional UNIX concept of distributed user accounts and home directories with LDAP (in this day and age) and NFS.
I need to export home directories of my users residing on my FreeNAS box via NFS. I am trying to avoid creating hundreds of user accounts on my FreeNAS box by turning on LDAP. I just updated today my file servers to FreeNAS 9.2.1.5. Update went really smoothly. Kudos to developers! I caught right a way Bug #4874
https://bugs.freenas.org/issues/4874 as I have no need for CIFS. The Josh's hot patch https://bugs.freenas.org/attachments/download/768/fixup.sh.txt worked like a charm and I was able to switch that annoying service. Kudos to Josh.

I went to GUI to configure LDAP and was pleasantly surprised that I can now upload security certificate (bug report was due to me). One more kudos for quick fix. However LDAP didn't want to start. Moreover it was turning CIFS on. I went to the command line and caught I believe another bug.

Namely file /usr/local/etc/openldap/ldap.conf had host line instead of URI. After manually replacing HOST with URI

Code:

URI ldap://atlas.int.autonlab.org
BASE dc=autonlab,dc=org
TLS_CACERT /etc/ssl/freenas/ldap/ldapca.crt
TLS_REQCERT allow

everything worked like a charm. Just for the reference my /usr/local/etc/ldap.conf looks as follows

Code:

host ldap://atlas.int.autonlab.org
base dc=autonlab,dc=org
rootbinddn
pam_password md5
nss_override_attribute_value loginShell /bin/sh
nss_base_passwd dc=autonlab,dc=org
nss_base_group dc=autonlab,dc=org
ssl start_tls
tls_cacertfile /etc/ssl/freenas/ldap/ldapca.crt
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid

The OpenLDAP client is properly binding to my OpenBSD 5.5 stock LDAP server (from the base) not the OpenLDAP using TLS encryption. I can read LDAP data base from my FreeNAS box. Great:) . The only problem is when I try to pull the user names of my users with

Code:

id ldap_username

I get nothing. Since I am not very familiar with FreeBSD PAM implementation (RedHat uses SSSD) apparently I have to turn some daemons on before system imports uid and gid numbers. I tried to restarting nsswitch daemon but that overwrites /usr/local/etc/openldap/ldap.conf file and breaks LDAP.

Could a kind soul tell me which daemons are started by turning directory services on in the GUI? Can any of Unix users share their experience with LDAP because I have a bad feeling that FreeNAS assumes that LDAP means that person uses CIFS as well which could not be further from the truth.

I feel I am very close to get this thing working but I need a little push from more experienced people.

 

[dlavigne]

And it sounds like you have at least one more bug to report

 

[Oko]

And it sounds like you have at least one more bug to report :)

At the end it was not a bug but a peculiar way GUI configuration interface works on FreeNAS. Please refer to discussion between Josh and I

https://bugs.freenas.org/issues/4972

for details. After putting atlas.int.autonlab.org instead of ldap://atlas.int.autonlab.org and closing the window service was automatically started and I could see uid and gid of my users on FreeNAS box. I can just say LDAP works out of box on FreeNAS. Kudos to Josh!!!

 

[Dennis.kulmosen]

Thanks for sharing the solution.

 

[Martintamare]

Hi there,

thanks for this post, exactly in the direction of what i'm looking for. However I'm struggling with the following issue :

I'm successfully able to perform a search using ldapsearch -x -H ldaps://10.1.36.253 -D 'cn=admin,dc=toto' -W

But, i'm unable to make getent passwd work.

Any idea where to start looking ?

Here is my /usr/local/etc/openldap/ldap.conf

Code:

BASE dc=zepros
URI ldaps://10.1.36.253
TLS_CACERT /etc/ssl/freenas/ldap/ldapca.crt
TLS_REQCERT never

And here is /usr/local/etc/ldap.conf

Code:

host 10.1.36.253
base dc=toto
rootbinddn cn=admin,dc=toto
pam_password exop
nss_override_attribute_value loginShell /bin/sh
nss_base_passwd cn=people,dc=toto
nss_base_group cn=groups,dc=toto
uri ldaps://10.1.36.253
ssl on
tls_cacertfile /etc/ssl/freenas/ldap/ldapca.crt
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid
TLS_REQCERT never

Thanks in advance !

 

[Oko]

That actually is not LDAP problem. You have to tell the system how to authentication and that is OS specific. Since I don't allow ssh to my file server and shares are exported via NFS I didn't care much for that part on the FreeNAS and TrueOS boxes I have. For example on OpenBSD you have to edit /etc/login.conf and add

Code:

ldap:\
        :auth=-ldap:\
        :x-ldap-server=atlas.int.autonlab.org,,starttls:\
        :x-ldap-basedn=dc=autonlab,dc=org:\
        :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
        :tc=default:

As well as

Code:

echo "+:*::::::::" >> /etc/master.passwd
echo "+:*:::" >> /etc/master.group

rebuild data base and start the following daemons

Code:

portmap_flags=""
ypldap_flags=""
ypbind_flags=""

On Red Hat I use SSSD and instead of manually editing /etc/sysconfig/authconfig you can run

Code:

authconfig-tui

which will allow you to pick LDAP as authentication method. Obviously you have to edit /etc/nsswitch.conf and use

Code:

password files sss
shadow files sss
group sss

You also have to edit /etc/sssd/sssd.conf

Code:

[domain/default]

ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=autonlab,dc=org
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://atlas.int.autonlab.org:389
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow
[sssd]
config_file_version = 2
services = nss, pam
domains = default, LDAP

[nss]

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://atlas.int.autonlab.org:389
ldap_search_base = dc=autonlab,dc=org

cache_credentials = true

files sss I don't have at the moment FreeBSD boxes where people can log with LDAP accounts but if I have to guess FreeBSD is using old PAM system which is similar to old Red Hat PAM module. However I was reading somewhere that FreeBSD is getting SSSD. Sorry I was not of more help.

 

[Oko]

I should have checked this before posting. I turned on ssh login into one of my FreeNAS file servers and LDAP authentication just works out of box. So no additional configuration from the command line was needed for LDAP authentication and authorization beyond the info you put in GUI. I am not sure how difficult would be to add Kerberos or Radius authentication with LDAP authorization. That would be definitely something very interesting to UNIX users.

 

[Martintamare]

A good night of sleep, re read, and it appears that my schema was ou=people instead of cn=people ...
That was my first post on this forum, I'm amazed by the quality and the reactivity of you guys.
Cheers !