Re: Using LDAP for auth against LINUX

[Uwe Lienig <uwe.lienig%fif.mw.htw-dresden.de@localhost>]

Hello again,

I write to share my efforts in setting up NetBSD 3.0 to use ldap
authentication. Since there has been written a lot on getting LDAP to work, I'll
concentrate on the steps I used.

$ > uname -a
NetBSD host 3.0 NetBSD 3.0 (GENERIC) #0

LDAP client support is added by installing

  /usr/pkgsrc/security/pam-ldap/
  /usr/pkgsrc/databases/nss_ldap/
  /usr/pkgsrc/databases/openldap-client/

and is configured with

  /usr/pkg/etc/openldap/ldap.conf

with the following entries

  BASE           dc=some,dc=domain,dc=org
  URI            <the uri in ldap://ldap.server format>
  TLS_CACERTDIR  /path/to/CAcertsdir
  TLS_CACERT     /path/to/cacertfile

For pam authentication the required library pam_ldap.so needs to be installed in
/usr/lib/security by symlinking them from /usr/pkg/lib/security.
After that nsswitch.conf needs to be adjusted for ldap (shown for user and
group, where ... means, there are more sources that may be defined here)

  group:          ... _ldap_ ...
  passwd:         ... _ldap_ ...

and /etc/pam.d/<service-files> were populated with ldap entries [1].

As denoted in [1] /usr/pkg/etc/nss_ldap.conf may be symlinked pam_ldap.conf or
vice versa.

Depending on the LDAP server there are different methods that may be used to
connect. Since I want encryption the server may be contacted by Start_TLS method
or SSL. The ldap.conf file defines the standard method for ldap tools (e.g.
ldapsearch) to connect to the server. If the URI statement reads
ldaps://ldap.server then SSL is used. In case the URI is ldap://ldap.server,
then an unencrypted connection is used, but encryption may be forced by adding
the -ZZ option to ldapsearch. In this case, ldapsearch connects by issuing
Start_TLS and fails, if Start_TLS will not succeed.

For authentication it is essential, that the correct server with the user
information is contacted, i.e. the client must be certain it is connecting to
the correct host. This is done by verifying the servers certificate. Therefore
the client needs to verify the servers certificate. For this to work the
complete CA certificate chain, that was used to sign the servers certificate
must be known to the client.

In my case the host serving the LDAP database uses a self signed certificate.
This host is running SLES 10. During the installation the administration tool
YaST created a CA certificate that is named YaST-CA.pem. This certificate was
then used to sign the server certificate.

To allow for verification of the certificate of the LDAP server I added the
YaST-CA.pem to the CAcertdir. Since NetBSD 3.0 ships with a /etc/openssl dir I
decided to create a CAcerts directory there. After that I copied the YaST-CA.pem
from the LDAP server into this directory. In order to use this dir (CAcerts) as
a parameter to TLS_CACERTDIR an X509 hash must be placed in this dir pointing to
the corresponding .pem file. Ususally this is done by running the perl script
c_rehash that handles this. NetBSD does not ship this tool. Instead I used

  hash=`openssl x509 -hash -noout -in YaST-CA.pem`

to get the hash and then symlinked the hash to the .pem file

  ln -s YaST-CA.pem ${hash}.0

One has to make certain no other .pem file has the same hash which would
indicate two .pem file containing the same certificate.

After that I could verify the certificate that is delivered by the LDAP server.
I used openssl for this. To make this work the slapd was instructed to listen on
ldaps port.

  openssl s_client -host ldap.server -port 636 -CApath /etc/openssl/CAcerts \
  -showcerts

I was not able to verify TLS over ldap with openssl.

  openssl s_client -host ldap.server -port 389 -CApath /etc/openssl/CAcerts \
  -showcerts

  CONNECTED(00000004)
  write:errno=54

ldapsearch worked, however.

  ldapsearch -ZZ -H ldap://ldap.server '(uid=tst)'

What method is used for connecting to the LDAP server is decided by command line
options or configuration file. If there is no command line option (-H or -h) the
values given in the config file will be used.

It is essential that the host name part for the URI is the same that is used in
the certificate of the server (not the CA certificate). Therefore the FQDN
should be used.

After LDAP worked ok I added the correspondig entries in 
/usr/pkg/etc/nss_ldap.conf.

  uri ldap://ldap.server
  base dc=some,dc=domain,dc=org
  tls_cacertdir /etc/openssl/CAcerts
  ssl start_tls

Using getent(1) I got the correct answer for a given user in the passwd
database. So everything should be working and I went ahead to configuring IMAP
access to this server. This is where I'm stuck now.

IMAP uses saslauthd for authentication. saslauthd was run to use getpwent as the
auth mechanism. getpwent is only able to use passwd that includes NIS. Since I
have configured the PAM system to do LDAP authentication I changed saslauthd to
use PAM (option -m pam).

If nss_ldap.conf has

  ssl {start_tls | on}

authentication failed. Omitting this parameter authentication was successful. I
have no idea, why? At the moment I haven't put ssl into nss_ldap.conf. But I'd
like to know what I'm doing wrong.

I think most of LDAP authentication including certificate validation is now
working. At this last step enabling encryption I've stopped my efforts since I'm
out of options to try. May be I've missed something in my configuration. I
thought on using ldap with sasl but that would introduce a new configuration
file to be maintained. And last but not least I'd like to understand why the PAM
mechanism is not working.

Hints are appreciated.

Thanks.

[1] http://wiki.netbsd.se/OpenLDAP_Authentication_on_NetBSD

-- 
Uwe Lienig

fon: (+49 351) 462 2780
fax: (+49 351) 462 3476
mailto:uwe.lienig%fif.mw.htw-dresden.de@localhost

Forschungsinstitut Fahrzeugtechnik
<http://www.fif.mw.htw-dresden.de>
parcels: Gutzkowstr. 22, 01069 Dresden
letters: PF 12 07 01,    01008 Dresden

Hochschule für Technik und Wirtschaft Dresden (FH)
Friedrich-List-Platz 1, 01069 Dresden