Re: Ayuda con OpenLDAP para autenticación remota
2008/3/27, Manuel García <mannyto@gmail.com>:
> On Fri, Mar 28, 2008 at 11:09 AM, andres sarmiento <coolpixgnu@gmail.com> wrote:
> >
> > 2008/3/27, Manuel García <mannyto@gmail.com>:
> > > On Fri, Mar 28, 2008 at 10:51 AM, andres sarmiento <coolpixgnu@gmail.com> wrote:
> > > >
> > > > 2008/3/27, Manuel García <mannyto@gmail.com>:
> > > > > On Fri, Mar 28, 2008 at 8:16 AM, andres sarmiento <coolpixgnu@gmail.com> wrote:
> > > > > > Estimados:
> > > > > > Actualmente tengo instalado un servidor con Debian Etch al cual le
> > > > > > instalé openldap. El serv idor actualmente está levantado y funciona
> > > > > > localmente.
> > > > > > El problema radica cuando necesito autenticar a un usuario remoto.
> > > > > >
> > > > > > Si un usuario creado con ldap se autentica vía SSH no ocurre problema.
> > > > > > el problema, ocurre cuando dicho usuario necesita autenticarse desde
> > > > > > otra aplicación. Por ejemplo vía Web.
> > > > > > Agradecería si me pueden orientar. Seguí el siguiente Howto:
> > > > > > http://moduli.net/sysadmin/sarge-ldap-auth-howto.html
> > > > > >
> > > > > > Y seguí todos los pasos, pero no ocurre nada.
> > > > > > Adjunto los archivos de configuración de slapd.conf, pam_ldap.com nsswitch.conf
> > > > > >
> > > > > > ### Para slapd.conf ####################################
> > > > > > john:/home/andres# cat /etc/ldap/slapd.conf
> > > > > > # This is the main slapd configuration file. See slapd.conf(5) for more
> > > > > > # info on the configuration options.
> > > > > >
> > > > > > #######################################################################
> > > > > > # Global Directives:
> > > > > >
> > > > > > # Features to permit
> > > > > > #allow bind_v2
> > > > > >
> > > > > > # Schema and objectClass definitions
> > > > > > include /etc/ldap/schema/core.schema
> > > > > > include /etc/ldap/schema/cosine.schema
> > > > > > include /etc/ldap/schema/nis.schema
> > > > > > include /etc/ldap/schema/inetorgperson.schema
> > > > > >
> > > > > > # Where the pid file is put. The init.d script
> > > > > > # will not stop the server if you change this.
> > > > > > pidfile /var/run/slapd/slapd.pid
> > > > > >
> > > > > > # List of arguments that were passed to the server
> > > > > > argsfile /var/run/slapd/slapd.args
> > > > > >
> > > > > > # Read slapd.conf(5) for possible values
> > > > > > loglevel 0
> > > > > >
> > > > > > # Where the dynamically loaded modules are stored
> > > > > > modulepath /usr/lib/ldap
> > > > > > moduleload back_bdb
> > > > > >
> > > > > > # The maximum number of entries that is returned for a search operation
> > > > > > sizelimit 500
> > > > > >
> > > > > > # The tool-threads parameter sets the actual amount of cpu's that is used
> > > > > > # for indexing.
> > > > > > tool-threads 1
> > > > > >
> > > > > > #######################################################################
> > > > > > # Specific Backend Directives for bdb:
> > > > > > # Backend specific directives apply to this backend until another
> > > > > > # 'backend' directive occurs
> > > > > > backend bdb
> > > > > > checkpoint 512 30
> > > > > >
> > > > > > #######################################################################
> > > > > > # Specific Backend Directives for 'other':
> > > > > > # Backend specific directives apply to this backend until another
> > > > > > # 'backend' directive occurs
> > > > > > #backend <other>
> > > > > >
> > > > > > #######################################################################
> > > > > > # Specific Directives for database #1, of type bdb:
> > > > > > # Database specific directives apply to this databasse until another
> > > > > > # 'database' directive occurs
> > > > > > database bdb
> > > > > >
> > > > > > # The base of your directory in database #1
> > > > > > suffix "dc=ldap,dc=spcservices,dc=com"
> > > > > >
> > > > > > # rootdn directive for specifying a superuser on the database. This is needed
> > > > > > # for syncrepl.
> > > > > > # rootdn "cn=admin,dc=ldap,dc=spcservices,dc=com"
> > > > > >
> > > > > > # Where the database file are physically stored for database #1
> > > > > > directory "/var/lib/ldap"
> > > > > >
> > > > > > # For the Debian package we use 2MB as default but be sure to update this
> > > > > > # value if you have plenty of RAM
> > > > > > dbconfig set_cachesize 0 2097152 0
> > > > > >
> > > > > > # Sven Hartge reported that he had to set this value incredibly high
> > > > > > # to get slapd running at all. See http://bugs.debian.org/303057
> > > > > > # for more information.
> > > > > >
> > > > > > # Number of objects that can be locked at the same time.
> > > > > > dbconfig set_lk_max_objects 1500
> > > > > > # Number of locks (both requested and granted)
> > > > > > dbconfig set_lk_max_locks 1500
> > > > > > # Number of lockers
> > > > > > dbconfig set_lk_max_lockers 1500
> > > > > >
> > > > > > # Indexing options for database #1
> > > > > > index objectClass eq
> > > > > >
> > > > > > # Save the time that the entry gets modified, for database #1
> > > > > > lastmod on
> > > > > >
> > > > > > # Where to store the replica logs for database #1
> > > > > > # replogfile /var/lib/ldap/replog
> > > > > >
> > > > > > # The userPassword by default can be changed
> > > > > > # by the entry owning it if they are authenticated.
> > > > > > # Others should not be able to see it, except the
> > > > > > # admin entry below
> > > > > > # These access lines apply to database #1 only
> > > > > > access to attrs=userPassword,shadowLastChange,gecos
> > > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > > > > > by self write
> > > > > > by * read
> > > > > >
> > > > > > # Ensure read access to the base for things like
> > > > > > # supportedSASLMechanisms. Without this you may
> > > > > > # have problems with SASL not knowing what
> > > > > > # mechanisms are available and the like.
> > > > > > # Note that this is covered by the 'access to *'
> > > > > > # ACL below too but if you change that as people
> > > > > > # are wont to do you'll still need this if you
> > > > > > # want SASL (and possible other things) to work
> > > > > > # happily.
> > > > > > access to dn.base="" by * read
> > > > > >
> > > > > > # The admin dn has full write access, everyone else
> > > > > > # can read everything.
> > > > > > access to *
> > > > > > by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > > > > > by * read
> > > > > >
> > > > > > # For Netscape Roaming support, each user gets a roaming
> > > > > > # profile for which they have write access to
> > > > > > #access to dn=".*,ou=Roaming,o=morsnet"
> > > > > > # by dn="cn=admin,dc=ldap,dc=spcservices,dc=com" write
> > > > > > # by dnattr=owner write
> > > > > >
> > > > > > #######################################################################
> > > > > > # Specific Directives for database #2, of type 'other' (can be bdb too):
> > > > > > # Database specific directives apply to this databasse until another
> > > > > > # 'database' directive occurs
> > > > > > #database <other>
> > > > > >
> > > > > > # The base of your directory for database #2
> > > > > > #suffix "dc=debian,dc=org"
> > > > > >
> > > > > > ###########################################################################33
> > > > > > Para /etc/ldap/ldap.conf
> > > > > >
> > > > > > john:/home/andres# cat /etc/ldap/ldap.conf
> > > > > > # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
> > > > > > 19:57:01 kurt Exp $
> > > > > > #
> > > > > > # LDAP Defaults
> > > > > > #
> > > > > >
> > > > > > # See ldap.conf(5) for details
> > > > > > # This file should be world readable but not world writable.
> > > > > >
> > > > > > BASE dc=ldap,dc=spcservices,dc=com
> > > > > > URI ldap://172.31.20.3
> > > > > >
> > > > > > #SIZELIMIT 12
> > > > > > #TIMELIMIT 15
> > > > > > #DEREF never
> > > > > >
> > > > > > ############################################################################
> > > > > > para /etc/nsswitch.conf
> > > > > >
> > > > > > john:/home/andres# cat /etc/nsswitch.conf
> > > > > > # /etc/nsswitch.conf
> > > > > > #
> > > > > > # Example configuration of GNU Name Service Switch functionality.
> > > > > > # If you have the `glibc-doc-reference' and `info' packages installed, try:
> > > > > > # `info libc "Name Service Switch"' for information about this file.
> > > > > >
> > > > > > passwd: ldap compat
> > > > > > group: ldap compat
> > > > > > shadow: compat
> > > > > >
> > > > > > hosts: files dns
> > > > > > networks: files
> > > > > >
> > > > > > protocols: db files
> > > > > > services: db files
> > > > > > ethers: db files
> > > > > > rpc: db files
> > > > > >
> > > > > > netgroup: nis
> > > > > >
> > > > > >
> > > > > >
> > > > > > Agradezco las las respuestas, ya que no encuentro la menera de hacerlo
> > > > > > funcionar.
> > > > > > Saludos Cordiales
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > En /etc/nsswitch.conf deberias tener:
> > > > >
> > > > >
> > > > > # /etc/nsswitch.conf
> > > > > #
> > > > > # Example configuration of GNU Name Service Switch functionality.
> > > > > # If you have the `glibc-doc-reference' and `info' packages installed, try:
> > > > > # `info libc "Name Service Switch"' for information about this file.
> > > > >
> > > > >
> > > > > passwd: files ldap
> > > > > group: files ldap
> > > > > shadow: files ldap
> > > > >
> > > > >
> > > > > hosts: files dns
> > > > > networks: files
> > > > >
> > > > > protocols: db files
> > > > > services: db files
> > > > > ethers: db files
> > > > > rpc: db files
> > > > >
> > > > > netgroup: nis
> > > > >
> > > > >
> > > > >
> > > > > y en /etc/pam.d/ deberias tener un archivo de configuración para la
> > > > > autenticación en apache o el servidro web que estés usando, que
> > > > > contenga:
> > > > >
> > > > > @include common-auth
> > > > > @include common-account
> > > > >
> > > > > eso deberia ser suficiente.
> > > > >
> > > > > además te recomiendo el uso de phpldapadmin para el manejo del ldap.
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Manuel Garcia
> > > > > Administrador de redes y servidores
> > > > > Corporacion Lynqus
> > > > > Debian GNU/Linux 4.1
> > > > > codename "Lenny"
> > > > >
> > > >
> > > > Muchas gracias manuel por la ayuda, modifiqué el archivo
> > > > /etc/nsswitch.conf. E instalé phpldapadmin, peor no comprendo bien lo
> > > > del archivo PAM
> > > >
> > > > Te adjunto la salida dela rchivo, quizás tengo algo mal configurado:
> > > >
> > > > ######## Para /etc/pam.d/common-account
> > > >
> > > > john:~# cat /etc/pam.d/common-account
> > > > #
> > > > # /etc/pam.d/common-account - authorization settings common to all services
> > > > #
> > > > # This file is included from other service-specific PAM config files,
> > > > # and should contain a list of the authorization modules that define
> > > > # the central access policy for use on the system. The default is to
> > > > # only deny service to users whose accounts are expired in /etc/shadow.
> > > > #
> > > > #account required pam_unix.so
> > > > account sufficient pam_unix.so
> > > > account sufficient pam_ldap.so
> > > > account required pam_deny.so
> > > >
> > > > #### Para /etc/pam.d/common-session
> > > >
> > > > john:~# cat /etc/pam.d/common-session
> > > > #
> > > > # /etc/pam.d/common-session - session-related modules common to all services
> > > > #
> > > > # This file is included from other service-specific PAM config files,
> > > > # and should contain a list of modules that define tasks to be performed
> > > > # at the start and end of sessions of *any* kind (both interactive and
> > > > # non-interactive). The default is pam_unix.
> > > > #
> > > > session required pam_unix.so
> > > >
> > > > ### Para /etc/pam.d/common-auth
> > > >
> > > > john:~# cat /etc/pam.d/common-auth
> > > > #
> > > > # /etc/pam.d/common-auth - authentication settings common to all services
> > > > #
> > > > # This file is included from other service-specific PAM config files,
> > > > # and should contain a list of the authentication modules that define
> > > > # the central authentication scheme for use on the system
> > > > # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
> > > > # traditional Unix authentication mechanisms.
> > > > #
> > > > #auth required pam_unix.so nullok_secure
> > > > auth sufficient pam_unix.so
> > > > auth sufficient pam_ldap.so use_first_pass
> > > > auth required pam_deny.so
> > > >
> > > >
> > > >
> > > > Bueno esa es la configuración de PAM. Te cuento que puedo loguearme y
> > > > cambiar la password de un usuario desde otro computaror mediante el
> > > > comando:
> > > >
> > > > ldappasswd -x -D cn=admin,dc=ldap,dc=spcservices,dc=com -W -S
> > > > uid=nihat,ou=people,dc=ldap,dc=spcservices,dc=com -h 172.31.20.3
> > > >
> > > >
> > > > Ecuentro extraño que no se pueda realizar desde otra aplicación.
> > > >
> > > > Quedo atento a los comentarios
> > > > Saludos y Feliz día!!!
> > > >
> > > >
> > >
> > >
> > > en /etc/pam.d/ debes tener un archivo para cada aplicación, samba,
> > > apache, ssh, etc
> > >
> > >
> > > --
> > >
> > > Manuel Garcia
> > > Administrador de redes y servidores
> > > Corporacion Lynqus
> > > Debian GNU/Linux 4.1
> > > codename "Lenny"
> > >
> >
> > Ok, pero el apache en este caso es remoto, es decir que noe esta
> > instalado en la máquina con LDAP.
> > Mira, te explico:
> >
> > Gateway con Astaro (firewall de seguridad, etc,etc)
> > Servidor Debian (Ldap)
> >
> > Entonces necesito cominicar a gateway astaro con servidor Debian.
> > Entonces no comprendo configurar un archivo para astaro dentro de
> > /etc/pam.d/ en servidor Debian
> >
> > Adjunto una imagen de la configuración de LDAP desde Astaro
> >
> >
> > Saludos y muchas gracias
> >
>
>
>
> Eso es más complejo, e involucra las IP's etc, yo tengo todo montado
> en un mismo servidor así que no te voy a poder ayudar mucho más, éxito
> con eso.
>
>
> --
>
> Manuel Garcia
> Administrador de redes y servidores
> Corporacion Lynqus
> Debian GNU/Linux 4.1
> codename "Lenny"
>
OK muchas gracias por la ayuda, seguiré revisando.
Salu2
Reply to: