Failing to setup LDAP Client: Cannot retrieve authentication info

blitz · June 25, 2020, 9:13am

I’m trying to configure a NixOS LDAP client. I’m a bit of a noob when it comes to LDAP and PAM and given the lack of NixOS specific documentation this proves to be hard.

I’m trying this out in a NixOS integration test. See the config for client and server here: https://github.com/blitz/nixpkgs/blob/0d9db829d3cd75f2a1cfd0718f62170f28e62856/nixos/tests/sudo-ldap.nix

When I try to login on the client using the LDAP accout adam/insecurePassword, the password check seems to succeed, but then the session immediately ends with the login service complaining about “authentication service cannot retrieve authentication info”

You can start the setup in my nixpkgs branch with:

% nix-build nixos/tests/sudo-ldap.nix -A driver && ./result/bin/nixos-test-driver

>>> server.start()
>>> client.start()

I have the feeling that some PAM config needs to change, but I’m at a loss of what I need to do there. Any help is appreciated!

blitz · June 25, 2020, 9:16am

Judging from https://wiki.debian.org/LDAP/NSS, getent passwd should show LDAP accounts, but it doesn’t. But the NSS switch config that is generated has ldap in it. Mmh.

aanderse · June 25, 2020, 7:47pm

Unfortunately getent passwd won’t show ldap accounts on NixOS. Use getent.ldap passwd to see the accounts.

Post your configuration and some relevant log details if you don’t mind.

blitz · July 8, 2020, 8:03am

You can find the complete configuration in a ready to run integration test here: https://github.com/blitz/nixpkgs/blob/0d9db829d3cd75f2a1cfd0718f62170f28e62856/nixos/tests/sudo-ldap.nix

The relevant parts for server and client are:

    server = { pkgs, ... }: {

      # LDAP port
      networking.firewall.allowedTCPPorts = [ 389 ];

      services.openldap = {
        enable = true;
        suffix = "dc=example";
        rootdn = bindDn;
        rootpw = bindPw;
        database = "bdb";
        extraDatabaseConfig = ''
          directory /var/db/openldap
        '';
        declarativeContents = ''
          dn: dc=example
          objectClass: domain
          dc: example
          dn: ou=users,dc=example
          objectClass: organizationalUnit
          ou: users
          dn: uid=adam,ou=users,dc=example
          objectClass: top
          objectClass: account
          objectClass: posixAccount
          objectClass: shadowAccount
          cn: adam
          uid: adam
          uidNumber: 16859
          gidNumber: 100
          homeDirectory: /home/adam
          loginShell: /bin/sh
          gecos: adam
          userPassword: ${userPassword}
          shadowLastChange: 0
          shadowMax: 0
          shadowWarning: 0
        '';
      };
    };

    client = { pkgs, ... }: {

      # Don't do this for a real LDAP client, because it makes the
      # password world readable.
      environment.etc."ldap.pw".text = bindPw;

      # Enable LDAP Login
      users.ldap = {
        enable = true;
        base = "dc=example";
        server = "ldap://server/";

        bind = {
          distinguishedName = bindDn;
          passwordFile = "/etc/ldap.pw";
        };

        extraConfig = ''
          # tls_cacertfile /etc/ssl/certs/ca-certificates.crt
          ldap_version 3
          pam_lookup_policy yes
          pam_password exop
        '';
      };

      security.pam.services.login = {
        logFailures = true;
        makeHomeDir = true;
      };

      # Tools
      environment.systemPackages = [ pkgs.openldap pkgs.bash ];
    };

  };

The log says:

server # [   50.976005] slapd[758]: conn=1001 op=17 SEARCH RESULT tag=101 err=0 nentries=1 text=
server # [   59.366567] slapd[758]: conn=1002 op=0 BIND dn="cn=root,dc=example" method=128
server # [   59.370405] slapd[758]: conn=1002 op=0 BIND dn="cn=root,dc=example" mech=SIMPLE ssf=0
server # [   59.373367] slapd[758]: conn=1002 op=0 RESULT tag=97 err=0 text=
client # [   54.380594] login[793]: Authentication service cannot retrieve authentication info
server # [   59.376571] slapd[758]: conn=1002 fd=16 ACCEPT from IP=192.168.1.1:40798 (IP=0.0.0.0:389)
server # [   59.380857] slapd[758]: conn=1002 op=1 SRCH base="dc=example" scope=2 deref=0 filter="(uid=adam)"
server # [   59.384767] slapd[758]: conn=1002 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
server # [   59.389108] slapd[758]: <= bdb_equality_candidates: (objectClass) not indexed
server # [   59.391336] slapd[758]: <= bdb_equality_candidates: (uid) not indexed
server # [   59.393347] slapd[758]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
server # [   59.395218] slapd[758]: conn=1002 op=2 BIND anonymous mech=implicit ssf=0
server # [   59.396936] slapd[758]: conn=1002 op=2 BIND dn="uid=adam,ou=users,dc=example" method=128
server # [   59.398625] slapd[758]: conn=1002 op=2 BIND dn="uid=adam,ou=users,dc=example" mech=SIMPLE ssf=0
server # [   59.400357] slapd[758]: conn=1002 op=2 RESULT tag=97 err=0 text=
server # [   59.401375] slapd[758]: conn=1002 op=3 BIND anonymous mech=implicit ssf=0
server # [   59.402499] slapd[758]: conn=1002 op=3 BIND dn="cn=root,dc=example" method=128
server # [   59.403564] slapd[758]: conn=1002 op=3 BIND dn="cn=root,dc=example" mech=SIMPLE ssf=0
server # [   59.404524] slapd[758]: conn=1002 op=3 RESULT tag=97 err=0 text=
server # [   59.405363] slapd[758]: conn=1002 op=4 UNBIND
server # [   59.406103] slapd[758]: conn=1002 fd=16 closed
client # [   54.416953] systemd[1]: getty@tty1.service: Main process exited, code=exited, status=1/FAILURE
client # [   54.421642] systemd[1]: getty@tty1.service: Failed with result 'exit-code'.

The weird part being:

client # [   54.380594] login[793]: Authentication service cannot retrieve authentication info

blitz · July 23, 2020, 9:57am

After removing these lines, I can log in via LDAP. It seems these configure client-controlled password policies and this configuration was bogus.