LDAP_ host-based limited with Pam_filter Not Working

Recently, I was trying to migrate our all of the stuffs of LDAP into MysqlDB. The password with type: md5crypt (not very clear why using this by default). When using PAM_FILTER modules for host limiting, however it was failed. So googled find this solution. This is very helpful for me. Thanks to the author for this. 🙂

Reference link: http://computingfunnyfacts.blogspot.com/2008/01/pamfilter-not-working.html

Here is the blog content of :system-auth

config of /etc/ldap.conf

It’s working!
:::::::::::::::::::::::::::::::::::::::
pam_filter not working
So here is the problem you want to limit your cluster to a special user group. You have everything LDAP managed and use pam_ldap for authentication. But when you edit the /etc/ldap.conf and set a pam_filter nothing happens. First of all the the syntax of pam_filter :
(|(gidNumber=1028)(gidNumber=1160))
Will not work
Literally only
pam_filter gidNumber=1028
Will work. This is the way they stupidly implemented it
else if (!strcasecmp (k, “pam_filter”))
{
CHECKPOINTER (result->filter = strdup (v));
}

where v is everything after the ‘ ‘

while (*v != ‘\0’ && *v != ‘ ‘ && *v != ‘\t’)
v++;

*(v++) = ‘\0’;

For those that know C
So you can give it one value max. Now you have to modify the /etc/pam.d/system-auth file. The default configuration is:
[root@lxb5477 ~]# cat /etc/pam.d/system-auth.back | grep ldap
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
session optional /lib/security/$ISA/pam_ldap.so

But of course a optional is not really enough. You, of course, want that if the user doesn’t fulfill your filter he should be chucked into nirvana. So change to:
[root@lxb5477 ~]# cat /etc/pam.d/system-auth | grep ldap
auth required /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_ldap.so
password requried /lib/security/$ISA/pam_ldap.so use_authtok
session required /lib/security/$ISA/pam_ldap.so

Through this if ldap fails the login fails.

But be aware that in /etc/nsswitch.conf files is before ldap
passwd: files ldap
shadow: files ldap
group: files ldap

Setting up LDAP autentication with sudoer access

Building Environment:
==================================
OS: CentOS 5.4(64 bit)
==================================
Packages:openldap-servers-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
openldap-clients-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
===================================
sudo-1.6.9p17-5.el5
===================================
Optional: WEB UI
phpldap
===================================

#### Server settings ######
1. Install openldap-server

yum install openldap-servers openldap-devel openldap openldap-clients

2. Config sldap.conf
# set schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudoer.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema

# DB type & dc setting
database bdb
suffix “dc=happyelements,dc=net”
rootdn “cn=manager,dc=happyelements,dc=net”
rootpw secret # this can by generated by “slappasswd”
#
directory /usr/local/openldap/var/openldap-data

3. /etc/openldap/ldap.conf for searching by ldapsearch

URI ldap://127.0.0.1/
BASE dc=happyelements,dc=net
TLS_CACERTDIR /etc/openldap/cacerts

4. Copy sudo schema to /etc/schema
cp /usr/share/doc/sudo-1.6.9p17/schema.OpenLDAP /etc/openldap/schema/sudoer.schema

5. Set database dir:
mkdir -p /usr/local/openldap/var/openldap-data
chown ldap:ldap /usr/local/openldap/var/openldap-data
cp /etc/openldap/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG

6. Testing Servers
/etc/init.d/ldap start

7. Create entries related for LDAP Server:

#Paste following lines as file: happyelements.ldif
dn: dc=happyelements,dc=net
objectClass: dcObject
objectClass: organization
dc: happyelements
o: happyelements.net
description: happyelements.net

dn: cn=manager,dc=happyelements,dc=net
objectClass: organizationalRole
cn: manager

dn: ou=Group,dc=happyelements,dc=net
objectClass: organizationalUnit
ou: Group

dn: ou=People,dc=happyelements,dc=net
objectClass: organizationalUnit
ou: People

#Paste following lines into file sudoeraccess.ldif

objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn:cn=defaults,ou=SUDOers,dc=happyelements,dc=net
cn:defaults
sudoOption:ignore_dot
sudoOption:!mail_no_user
sudoOption:!root_sudo
sudoOption:log_host
sudoOption:logfile=/var/log/sudolog
sudoOption:!syslog
sudoOption:timestamp_timeout=10
objectClass:top
objectClass:sudoRole
description:DefaultsudoOption’s

dn:cn=Rule1,ou=SUDOers,dc=happyelements,dc=net
cn:Rule1
sudoOption:!authenticate
objectClass:top
objectClass:sudoRole
sudoHost:ALL
sudoCommand:ALL
sudoUser:ALL
description:AllowedwithoutpasswordforALLusers

Add entries into LDAP Server:
ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f happyelements.ldif
ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f sudoeraccess.ldif

ADD User entries:
# paste following lines into user_passswd.ldif
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$DpCxWpSc$E1Tsbg/CFnP1MZhvXqCdg1
shadowLastChange: 15117
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

dn: uid=rma1,ou=People,dc=happyelements,dc=net
uid: rma1
cn: rma1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$70S56nN0$rW/Sjk0rCrem4s3.emGun.
shadowLastChange: 15399
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10402
gidNumber: 10402
homeDirectory: /home/rma1

dn: uid=rma2,ou=People,dc=happyelements,dc=net
uid: rma2
cn: rma2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$yfRr5GkD$lgF8Xu8cN92OMyR7tRlsK0
shadowLastChange: 15399
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10403
gidNumber: 10403
homeDirectory: /home/rma2

ADD group entries:
dn: cn=rma1,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma1
userPassword: {crypt}x
gidNumber: 10402

dn: cn=rma2,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma2
userPassword: {crypt}x
gidNumber: 10403

# Add entries into LDAP server

ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f user_passswd.ldif

# Add group entries

#paste following lines into ldif files with name: user_groups.ldif

#dn: cn=root,ou=Group,dc=happyelements,dc=net
#objectClass: posixGroup
#objectClass: top
#cn: root
#userPassword: {crypt}x
#gidNumber: 0

dn: cn=rma1,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma1
userPassword: {crypt}x
gidNumber: 10402

dn: cn=rma2,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma2
userPassword: {crypt}x
gidNumber: 10403

#ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f user_groups.ldif

### Client Settings ###
8. LDAP client settings

8.1 edit /etc/ldap.conf like this:

sudoers_base ou=SUDOers,dc=happyelements,dc=net
base dc=happyelements,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

nss_base_passwd ou=People,dc=happyelements,dc=net?one
nss_base_shadow ou=People,dc=happyelements,dc=net?one
nss_base_group ou=Group,dc=happyelements,dc=net?one

uri ldap://127.0.0.1
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

8.2 edit /etc/nsswitch.conf

sudoers: ldap files

That’s all we need do. Enjoy.

APPINDEX 1:
Reference links
Official sudoer manual: http://www.sudo.ws/sudo/man/1.8.4/sudoers.ldap.man.html
Setting Up A Centralised Authentication Server With Sudo Access Using LDAP:
http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP
posix migration tools: http://www.padl.com/download/MigrationTools.tgz

APPINDEX 2:
3 methods to enforce host-based authentication:
using pam_check_host_attr in /etc/ldap.conf
#pam_check_host_attr yes
using pam_filter authentication in /etc/ldap.conf
#pam_filter |(host=10.130.142.103) (host=\*)
using nss_base_

authentication in /etc/ldap.conf

Continue reading “Setting up LDAP autentication with sudoer access”