blitz
June 25, 2020, 9:13am
1
I’m trying to configure a NixOS LDAP client. I’m a bit of a noob when it comes to LDAP and PAM and given the lack of NixOS specific documentation this proves to be hard.
I’m trying this out in a NixOS integration test. See the config for client and server here: https://github.com/blitz/nixpkgs/blob/0d9db829d3cd75f2a1cfd0718f62170f28e62856/nixos/tests/sudo-ldap.nix
When I try to login on the client using the LDAP accout adam/insecurePassword, the password check seems to succeed, but then the session immediately ends with the login service complaining about “authentication service cannot retrieve authentication info”
You can start the setup in my nixpkgs branch with:
% nix-build nixos/tests/sudo-ldap.nix -A driver && ./result/bin/nixos-test-driver
>>> server.start()
>>> client.start()
I have the feeling that some PAM config needs to change, but I’m at a loss of what I need to do there. Any help is appreciated!
blitz
June 25, 2020, 9:16am
2
Judging from LDAP/NSS - Debian Wiki , getent passwd
should show LDAP accounts, but it doesn’t. But the NSS switch config that is generated has ldap in it. Mmh.
Unfortunately getent passwd
won’t show ldap accounts on NixOS. Use getent.ldap passwd
to see the accounts.
Post your configuration and some relevant log details if you don’t mind.
blitz
July 8, 2020, 8:03am
4
You can find the complete configuration in a ready to run integration test here: https://github.com/blitz/nixpkgs/blob/0d9db829d3cd75f2a1cfd0718f62170f28e62856/nixos/tests/sudo-ldap.nix
The relevant parts for server and client are:
server = { pkgs, ... }: {
# LDAP port
networking.firewall.allowedTCPPorts = [ 389 ];
services.openldap = {
enable = true;
suffix = "dc=example";
rootdn = bindDn;
rootpw = bindPw;
database = "bdb";
extraDatabaseConfig = ''
directory /var/db/openldap
'';
declarativeContents = ''
dn: dc=example
objectClass: domain
dc: example
dn: ou=users,dc=example
objectClass: organizationalUnit
ou: users
dn: uid=adam,ou=users,dc=example
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/sh
gecos: adam
userPassword: ${userPassword}
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
'';
};
};
client = { pkgs, ... }: {
# Don't do this for a real LDAP client, because it makes the
# password world readable.
environment.etc."ldap.pw".text = bindPw;
# Enable LDAP Login
users.ldap = {
enable = true;
base = "dc=example";
server = "ldap://server/";
bind = {
distinguishedName = bindDn;
passwordFile = "/etc/ldap.pw";
};
extraConfig = ''
# tls_cacertfile /etc/ssl/certs/ca-certificates.crt
ldap_version 3
pam_lookup_policy yes
pam_password exop
'';
};
security.pam.services.login = {
logFailures = true;
makeHomeDir = true;
};
# Tools
environment.systemPackages = [ pkgs.openldap pkgs.bash ];
};
};
The log says:
server # [ 50.976005] slapd[758]: conn=1001 op=17 SEARCH RESULT tag=101 err=0 nentries=1 text=
server # [ 59.366567] slapd[758]: conn=1002 op=0 BIND dn="cn=root,dc=example" method=128
server # [ 59.370405] slapd[758]: conn=1002 op=0 BIND dn="cn=root,dc=example" mech=SIMPLE ssf=0
server # [ 59.373367] slapd[758]: conn=1002 op=0 RESULT tag=97 err=0 text=
client # [ 54.380594] login[793]: Authentication service cannot retrieve authentication info
server # [ 59.376571] slapd[758]: conn=1002 fd=16 ACCEPT from IP=192.168.1.1:40798 (IP=0.0.0.0:389)
server # [ 59.380857] slapd[758]: conn=1002 op=1 SRCH base="dc=example" scope=2 deref=0 filter="(uid=adam)"
server # [ 59.384767] slapd[758]: conn=1002 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
server # [ 59.389108] slapd[758]: <= bdb_equality_candidates: (objectClass) not indexed
server # [ 59.391336] slapd[758]: <= bdb_equality_candidates: (uid) not indexed
server # [ 59.393347] slapd[758]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
server # [ 59.395218] slapd[758]: conn=1002 op=2 BIND anonymous mech=implicit ssf=0
server # [ 59.396936] slapd[758]: conn=1002 op=2 BIND dn="uid=adam,ou=users,dc=example" method=128
server # [ 59.398625] slapd[758]: conn=1002 op=2 BIND dn="uid=adam,ou=users,dc=example" mech=SIMPLE ssf=0
server # [ 59.400357] slapd[758]: conn=1002 op=2 RESULT tag=97 err=0 text=
server # [ 59.401375] slapd[758]: conn=1002 op=3 BIND anonymous mech=implicit ssf=0
server # [ 59.402499] slapd[758]: conn=1002 op=3 BIND dn="cn=root,dc=example" method=128
server # [ 59.403564] slapd[758]: conn=1002 op=3 BIND dn="cn=root,dc=example" mech=SIMPLE ssf=0
server # [ 59.404524] slapd[758]: conn=1002 op=3 RESULT tag=97 err=0 text=
server # [ 59.405363] slapd[758]: conn=1002 op=4 UNBIND
server # [ 59.406103] slapd[758]: conn=1002 fd=16 closed
client # [ 54.416953] systemd[1]: getty@tty1.service: Main process exited, code=exited, status=1/FAILURE
client # [ 54.421642] systemd[1]: getty@tty1.service: Failed with result 'exit-code'.
The weird part being:
client # [ 54.380594] login[793]: Authentication service cannot retrieve authentication info
blitz
July 23, 2020, 9:57am
5
After removing these lines, I can log in via LDAP. It seems these configure client-controlled password policies and this configuration was bogus.
2 Likes