Feature #8698
closedLDAP authenticated users should be able to log in via ssh
100%
Description
We integrate pfsense against our Active Directory systems for authentication and authorization. Works well for the most part but we've discovered that LDAP authenticated users are unable to access the cli via ssh. This is unfortunate as we have security scanners, etc., that need this functionality in order to work properly.
Updated by Jim Pingle almost 6 years ago
- Category set to User Manager / Privileges
- Assignee set to Jim Pingle
After #9399 this is one step closer.
Updated by Jim Pingle over 5 years ago
- Category changed from User Manager / Privileges to Authentication
Updated by Viktor Gurov about 4 years ago
Updated by Jim Pingle about 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- % Done changed from 0 to 100
Applied in changeset ca8459cdafafd225fbc07edbc32679b8301298fc.
Updated by Max Leighton about 4 years ago
Testing this with Active Directory, I'm able to successfully log into the webGUI with LDAP credentials, but attempting to log in via SSH hangs entering the username and the pfSense web interface becomes unresponsive. The system logs show repeated entries of:
Nov 11 09:58:46 su 34885 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Nov 11 09:58:46 su 34885 nss_ldap: could not search LDAP server - Server is unavailable
The LDAP server is selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which is working to allow login to the GUI:
CN=Users,CN=Builtin,DC=lab,DC=local
Tested in:
2.5.0-DEVELOPMENT (amd64)
built on Tue Nov 10 01:00:03 EST 2020
FreeBSD 12.2-STABLE
Updated by Viktor Gurov about 4 years ago
pfSense 2.5.0.a.20201111.1850 test with FreeIPA server 4.8.4:
Authentication server configuration:
<authserver> <refid>5f81b3e5799d3</refid> <type>ldap</type> <name>FreeIPA</name> <ldap_caref>global</ldap_caref> <host>192.168.88.91</host> <ldap_port>389</ldap_port> <ldap_urltype>Standard TCP</ldap_urltype> <ldap_protver>3</ldap_protver> <ldap_scope>subtree</ldap_scope> <ldap_basedn><![CDATA[DC=pand,DC=int]]></ldap_basedn> <ldap_authcn><![CDATA[cn=accounts,dc=pand,dc=int]]></ldap_authcn> <ldap_extended_enabled></ldap_extended_enabled> <ldap_extended_query><![CDATA[&(objectClass=ipausergroup)(cn=vpnipa)(member=*)))]]></ldap_extended_query> <ldap_attr_user><![CDATA[uid]]></ldap_attr_user> <ldap_attr_group><![CDATA[cn]]></ldap_attr_group> <ldap_attr_member><![CDATA[member]]></ldap_attr_member> <ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj> <ldap_allow_unauthenticated></ldap_allow_unauthenticated> <ldap_timeout>25</ldap_timeout> <ldap_pam_groupdn><![CDATA[cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int]]></ldap_pam_groupdn> <ldap_binddn><![CDATA[uid=admin,cn=users,cn=compat,dc=pand,dc=int]]></ldap_binddn> <ldap_bindpw><![CDATA[123]]></ldap_bindpw> <ldap_rfc2307></ldap_rfc2307> <ldap_rfc2307_userdn></ldap_rfc2307_userdn> </authserver>
ipatest LDIF data:
# ipatest, users, accounts, pand.int dn: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int givenName: first sn: last uid: ipatest cn: first last displayName: first last initials: fl gecos: first last krbPrincipalName: ipatest@PAND.INT objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/ipatest mail: ipatest@pand.int krbCanonicalName: ipatest@PAND.INT ipaUniqueID: 03a2a360-c7ed-11ea-9b26-860d7bafc7f2 uidNumber: 1000000001 gidNumber: 1000000001 krbPasswordExpiration: 20200720094800Z krbLastPwdChange: 20200720094800Z krbExtraData:: AAJQaBVfcm9vdC9hZG1pbkBQQU5ELklOVAA= mepManagedEntry: cn=ipatest,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=ipausers,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=othertestgroup,cn=groups,cn=accounts,dc=pand,dc=int krbLoginFailedCount: 0 krbLastFailedAuth: 20201021102340Z # vpnipa, groups, accounts, pand.int dn: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int cn: vpnipa objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2 gidNumber: 1000000004 member: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
part of LDAP traffic dump:
Internet Protocol Version 4, Src: 192.168.88.41, Dst: 192.168.88.91 Transmission Control Protocol, Src Port: 25859, Dst Port: 389, Seq: 1077, Ack: 2947, Len: 250 Lightweight Directory Access Protocol LDAPMessage searchRequest(6) "DC=pand,DC=int" wholeSubtree messageID: 6 protocolOp: searchRequest (3) searchRequest baseObject: DC=pand,DC=int scope: wholeSubtree (2) derefAliases: neverDerefAliases (0) sizeLimit: 1 timeLimit: 25 typesOnly: False Filter: (&(objectClass=posixAccount)(uid=ipatest)) filter: and (0) and: (&(objectClass=posixAccount)(uid=ipatest)) and: 2 items Filter: (objectClass=posixAccount) and item: equalityMatch (3) equalityMatch attributeDesc: objectClass assertionValue: posixAccount Filter: (uid=ipatest) and item: equalityMatch (3) equalityMatch attributeDesc: uid assertionValue: ipatest attributes: 14 items AttributeDescription: uid AttributeDescription: userPassword AttributeDescription: uidNumber AttributeDescription: gidNumber AttributeDescription: cn AttributeDescription: homeDirectory AttributeDescription: loginShell AttributeDescription: gecos AttributeDescription: description AttributeDescription: objectClass AttributeDescription: shadowLastChange AttributeDescription: shadowMax AttributeDescription: shadowExpire AttributeDescription: loginClass [Response In: 84] Internet Protocol Version 4, Src: 192.168.88.91, Dst: 192.168.88.41 Transmission Control Protocol, Src Port: 389, Dst Port: 25859, Seq: 2947, Ack: 1327, Len: 733 Lightweight Directory Access Protocol LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=compat,dc=pand,dc=int" [10 results] messageID: 6 protocolOp: searchResEntry (4) searchResEntry objectName: uid=ipatest,cn=users,cn=compat,dc=pand,dc=int attributes: 8 items PartialAttributeList item uid type: uid vals: 1 item AttributeValue: ipatest PartialAttributeList item uidNumber type: uidNumber vals: 1 item AttributeValue: 1000000001 PartialAttributeList item gidNumber type: gidNumber vals: 1 item AttributeValue: 1000000001 PartialAttributeList item cn type: cn vals: 1 item AttributeValue: first last PartialAttributeList item homeDirectory type: homeDirectory vals: 1 item AttributeValue: /home/ipatest PartialAttributeList item loginShell type: loginShell vals: 1 item AttributeValue: /bin/sh PartialAttributeList item gecos type: gecos vals: 1 item AttributeValue: first last PartialAttributeList item objectClass type: objectClass vals: 3 items AttributeValue: posixAccount AttributeValue: ipaOverrideTarget AttributeValue: top [Response To: 83] [Time: 0.003821000 seconds] Lightweight Directory Access Protocol LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int" [10 results] messageID: 6 protocolOp: searchResEntry (4) searchResEntry objectName: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int attributes: 8 items PartialAttributeList item uid type: uid vals: 1 item AttributeValue: ipatest PartialAttributeList item uidNumber type: uidNumber vals: 1 item AttributeValue: 1000000001 PartialAttributeList item gidNumber type: gidNumber vals: 1 item AttributeValue: 1000000001 PartialAttributeList item cn type: cn vals: 1 item AttributeValue: first last PartialAttributeList item homeDirectory type: homeDirectory vals: 1 item AttributeValue: /home/ipatest PartialAttributeList item loginShell type: loginShell vals: 1 item AttributeValue: /bin/sh PartialAttributeList item gecos type: gecos vals: 1 item AttributeValue: first last PartialAttributeList item objectClass type: objectClass vals: 12 items AttributeValue: top AttributeValue: person AttributeValue: organizationalperson AttributeValue: inetorgperson AttributeValue: inetuser AttributeValue: posixaccount AttributeValue: krbprincipalaux AttributeValue: krbticketpolicyaux AttributeValue: ipaobject AttributeValue: ipasshuser AttributeValue: ipaSshGroupOfPubKeys AttributeValue: mepOriginEntry [Response To: 83] [Time: 0.003821000 seconds] Lightweight Directory Access Protocol LDAPMessage searchResDone(6) success [10 results] messageID: 6 protocolOp: searchResDone (5) searchResDone resultCode: success (0) matchedDN: errorMessage: [Response To: 83] [Time: 0.003821000 seconds]
SSH and WebGUI auth successful
Updated by Jim Pingle about 4 years ago
Looks like the errors some are seeing (including myself) are from /usr/local/etc/nss_ldap.conf
not being setup as a symlink to /var/etc/pam_ldap.conf
. On systems that work that file must have been removed manually or edited in some way. I added a line which removes that file before setting up the symlink and now it works for me.
Updated by Max Leighton about 4 years ago
Tested in
2.5.0-DEVELOPMENT (amd64)
built on Fri Nov 27 07:03:36 EST 2020
FreeBSD 12.2-STABLE
Appears to be working well now. The nss_ldap errors are no longer present. I can successfully authenticate to AD with SSH, and after authentication I'm immediately in a shell, and have to start /etc/rc.initial manually to get the SSH menu.
Updated by Jim Pingle about 4 years ago
- Status changed from Feedback to Resolved
Updated by Tai Join 11 months ago
I'm having the same issue that Max Leighton had previously about 3 years ago
I'm also able to login via webGUI with LDAP credentials, but attempting to log in via SSH fails with Access Denied.
Just like Max Leighton's case, the LDAP server is also selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which was also working to allow LDAP login to the GUI.
The only difference is I'm using stunnel with Google LDAP instead of Microsoft AD.
Tested in:
2.7.2-RELEASE (amd64)
built on Fri Dec 8 12:55:00 PST 2023
FreeBSD 14.0-CURRENT
Jan 30 15:20:06 sshd 80256 nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:06 sshd 80256 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:06 sshd 80256 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:06 sshd 80256 pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:06 sshd 80256 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05 sshd 57323 Postponed keyboard-interactive for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2 [preauth]
Jan 30 15:20:05 sshd 57323 Failed keyboard-interactive/pam for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2
Jan 30 15:20:05 sshd 57323 error: PAM: Authentication error for illegal user first.last@domainame.com from 192.168.110.102
Jan 30 15:20:05 sshd 80205 nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:05 sshd 80205 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:05 sshd 80205 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05 sshd 80205 pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:05 sshd 80205 pam_ldap: ldap_simple_bind Can't contact LDAP server