hi
i'm experimenting with the nssov overlay, and am trying to get the hostservice
approach working as described in man 5 slapo-nssov. i'm using slapd 2.4.18 and
the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu packages.
the nss side of things appears to be working as desired, but in my testing with
sshd and pam, authentication succeeds even when the user is in a group that's
denied the compare operation for the authorizedservice attribute. testing a
bit with ldapcompare seems to indicate my acls are working as expected, and i
see compare references in slapd's log when running ldapcompare, but not during
ssh authentication.
i'm relatively confident the authentication is not occurring via another
mechanism (like nss/shadow) - if i remove the auth line that references
pam_ldap from the pam config for sshd, authentication fails.
i've included a few snippits below that will hopefully help illustrate things.
overlay config:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b
>'olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config' -s base
Enter LDAP Password:
dn: olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {6}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: sshd
olcNssPamSession: login
acls:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b
>'olcDatabase={2}bdb,cn=config' -s base olcaccess
Enter LDAP Password:
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to attrs=userPassword by self =dxw by anonymous auth by * none
olcAccess: {2}to
dn.base=cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net
attrs=authorizedservice
by
set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member*
& user" manage
by
set="[cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member*
& user" compare
by
set="[cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member*
& user" compare
by * =dxrs
olcAccess: {3}to * by self write
by
set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member*
& user" manage
by users read
by * none
related group membership:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D
>'cn=admin,dc=groundnoise,dc=net' -b 'dc=groundnoise,dc=net' '(cn=ssh)' member
Enter LDAP Password:
dn: cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net
member: uid=alien,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net
member: uid=lisa,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net
dn: cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net
member: uid=rwetzel,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net
entry for the host running sshd:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D
>'cn=admin,dc=groundnoise,dc=net' -b
>'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net' -s base
Enter LDAP Password:
dn: cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net
objectClass: device
objectClass: top
objectClass: ipHost
objectClass: authorizedServiceObject
cn: under.groundnoise.net
ipHostNumber: 192.168.1.1
authorizedService: sshd
authorizedService: login
getent for the host entry:
>getent hosts under.groundnoise.net
192.168.1.1 under.groundnoise.net
nsswitch config:
>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns ldap
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
ldapcompare test:
>ldapcompare -vxWH 'ldaps://ldap.groundnoise.net' -D
>'uid=luna,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net'
>'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net'
>'authorizedservice:login'
ldap_initialize( ldaps://ldap.groundnoise.net:636/??base )
Enter LDAP Password:
DN:cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net,
attr:authorizedservice, value:login
Compare Result: Insufficient access (50)
UNDEFINED
pam config for sshd:
>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so
envfile=/etc/default/locale
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
account required pam_nologin.so
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so no_warn
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password required pam_passwdqc.so
min=disabled,16,12,7,6 max=256
password [success=2 default=ignore] pam_unix.so obscure md5
password [success=1 user_unknown=ignore default=die] pam_ldap.so
use_authtok try_first_pass
password requisite pam_deny.so
password required pam_permit.so
ssh test:
>ssh [email protected] hostname --fqdn
[email protected]'s password:
under.groundnoise.net
i'm hoping someone can point out what i'm missing or what i might be doing
wrong.
thanks,
-ben
