Project

General

Profile

Feature #8698

LDAP authenticated users should be able to log in via ssh

Added by Eric Houston over 2 years ago. Updated 14 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
07/26/2018
Due date:
% Done:

100%

Estimated time:

Description

We integrate pfsense against our Active Directory systems for authentication and authorization. Works well for the most part but we've discovered that LDAP authenticated users are unable to access the cli via ssh. This is unfortunate as we have security scanners, etc., that need this functionality in order to work properly.

Associated revisions

Revision ca8459cd (diff)
Added by Viktor Gurov 17 days ago

LDAP shell authentication. Implements #8698

Revision d0f746e3 (diff)
Added by Jim Pingle 14 days ago

Remove old nss_ldap.conf if it exists before symlinking. Fixes #8698

History

#1 Updated by Jim Pingle over 1 year ago

  • Category set to User Manager / Privileges
  • Assignee set to Jim Pingle

After #9399 this is one step closer.

#2 Updated by Jim Pingle over 1 year ago

  • Category changed from User Manager / Privileges to Authentication

#4 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

#5 Updated by Renato Botelho 17 days ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#6 Updated by Viktor Gurov 17 days ago

  • % Done changed from 0 to 100

#7 Updated by Max Leighton 15 days ago

Testing this with Active Directory, I'm able to successfully log into the webGUI with LDAP credentials, but attempting to log in via SSH hangs entering the username and the pfSense web interface becomes unresponsive. The system logs show repeated entries of:

Nov 11 09:58:46 su 34885 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Nov 11 09:58:46 su 34885 nss_ldap: could not search LDAP server - Server is unavailable

The LDAP server is selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which is working to allow login to the GUI:

CN=Users,CN=Builtin,DC=lab,DC=local

Tested in:
2.5.0-DEVELOPMENT (amd64)
built on Tue Nov 10 01:00:03 EST 2020
FreeBSD 12.2-STABLE

#8 Updated by Viktor Gurov 14 days ago

pfSense 2.5.0.a.20201111.1850 test with FreeIPA server 4.8.4:

Authentication server configuration:

                <authserver>
                        <refid>5f81b3e5799d3</refid>
                        <type>ldap</type>
                        <name>FreeIPA</name>
                        <ldap_caref>global</ldap_caref>
                        <host>192.168.88.91</host>
                        <ldap_port>389</ldap_port>
                        <ldap_urltype>Standard TCP</ldap_urltype>
                        <ldap_protver>3</ldap_protver>
                        <ldap_scope>subtree</ldap_scope>
                        <ldap_basedn><![CDATA[DC=pand,DC=int]]></ldap_basedn>
                        <ldap_authcn><![CDATA[cn=accounts,dc=pand,dc=int]]></ldap_authcn>
                        <ldap_extended_enabled></ldap_extended_enabled>
                        <ldap_extended_query><![CDATA[&amp;(objectClass=ipausergroup)(cn=vpnipa)(member=*)))]]></ldap_extended_query>
                        <ldap_attr_user><![CDATA[uid]]></ldap_attr_user>
                        <ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
                        <ldap_attr_member><![CDATA[member]]></ldap_attr_member>
                        <ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
                        <ldap_allow_unauthenticated></ldap_allow_unauthenticated>
                        <ldap_timeout>25</ldap_timeout>
                        <ldap_pam_groupdn><![CDATA[cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int]]></ldap_pam_groupdn>
                        <ldap_binddn><![CDATA[uid=admin,cn=users,cn=compat,dc=pand,dc=int]]></ldap_binddn>
                        <ldap_bindpw><![CDATA[123]]></ldap_bindpw>
                        <ldap_rfc2307></ldap_rfc2307>
                        <ldap_rfc2307_userdn></ldap_rfc2307_userdn>
                </authserver>

ipatest LDIF data:

# ipatest, users, accounts, pand.int
dn: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
givenName: first
sn: last
uid: ipatest
cn: first last
displayName: first last
initials: fl
gecos: first last
krbPrincipalName: ipatest@PAND.INT
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/ipatest
mail: ipatest@pand.int
krbCanonicalName: ipatest@PAND.INT
ipaUniqueID: 03a2a360-c7ed-11ea-9b26-860d7bafc7f2
uidNumber: 1000000001
gidNumber: 1000000001
krbPasswordExpiration: 20200720094800Z
krbLastPwdChange: 20200720094800Z
krbExtraData:: AAJQaBVfcm9vdC9hZG1pbkBQQU5ELklOVAA=
mepManagedEntry: cn=ipatest,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=othertestgroup,cn=groups,cn=accounts,dc=pand,dc=int
krbLoginFailedCount: 0
krbLastFailedAuth: 20201021102340Z

# vpnipa, groups, accounts, pand.int
dn: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int
cn: vpnipa
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2
gidNumber: 1000000004
member: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int

part of LDAP traffic dump:

Internet Protocol Version 4, Src: 192.168.88.41, Dst: 192.168.88.91
Transmission Control Protocol, Src Port: 25859, Dst Port: 389, Seq: 1077, Ack: 2947, Len: 250
Lightweight Directory Access Protocol
    LDAPMessage searchRequest(6) "DC=pand,DC=int" wholeSubtree
        messageID: 6
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: DC=pand,DC=int
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 1
                timeLimit: 25
                typesOnly: False
                Filter: (&(objectClass=posixAccount)(uid=ipatest))
                    filter: and (0)
                        and: (&(objectClass=posixAccount)(uid=ipatest))
                            and: 2 items
                                Filter: (objectClass=posixAccount)
                                    and item: equalityMatch (3)
                                        equalityMatch
                                            attributeDesc: objectClass
                                            assertionValue: posixAccount
                                Filter: (uid=ipatest)
                                    and item: equalityMatch (3)
                                        equalityMatch
                                            attributeDesc: uid
                                            assertionValue: ipatest
                attributes: 14 items
                    AttributeDescription: uid
                    AttributeDescription: userPassword
                    AttributeDescription: uidNumber
                    AttributeDescription: gidNumber
                    AttributeDescription: cn
                    AttributeDescription: homeDirectory
                    AttributeDescription: loginShell
                    AttributeDescription: gecos
                    AttributeDescription: description
                    AttributeDescription: objectClass
                    AttributeDescription: shadowLastChange
                    AttributeDescription: shadowMax
                    AttributeDescription: shadowExpire
                    AttributeDescription: loginClass
        [Response In: 84]

Internet Protocol Version 4, Src: 192.168.88.91, Dst: 192.168.88.41
Transmission Control Protocol, Src Port: 389, Dst Port: 25859, Seq: 2947, Ack: 1327, Len: 733
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=compat,dc=pand,dc=int" [10 results]
        messageID: 6
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: uid=ipatest,cn=users,cn=compat,dc=pand,dc=int
                attributes: 8 items
                    PartialAttributeList item uid
                        type: uid
                        vals: 1 item
                            AttributeValue: ipatest
                    PartialAttributeList item uidNumber
                        type: uidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item gidNumber
                        type: gidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item cn
                        type: cn
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item homeDirectory
                        type: homeDirectory
                        vals: 1 item
                            AttributeValue: /home/ipatest
                    PartialAttributeList item loginShell
                        type: loginShell
                        vals: 1 item
                            AttributeValue: /bin/sh
                    PartialAttributeList item gecos
                        type: gecos
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 3 items
                            AttributeValue: posixAccount
                            AttributeValue: ipaOverrideTarget
                            AttributeValue: top
        [Response To: 83]
        [Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int" [10 results]
        messageID: 6
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
                attributes: 8 items
                    PartialAttributeList item uid
                        type: uid
                        vals: 1 item
                            AttributeValue: ipatest
                    PartialAttributeList item uidNumber
                        type: uidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item gidNumber
                        type: gidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item cn
                        type: cn
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item homeDirectory
                        type: homeDirectory
                        vals: 1 item
                            AttributeValue: /home/ipatest
                    PartialAttributeList item loginShell
                        type: loginShell
                        vals: 1 item
                            AttributeValue: /bin/sh
                    PartialAttributeList item gecos
                        type: gecos
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 12 items
                            AttributeValue: top
                            AttributeValue: person
                            AttributeValue: organizationalperson
                            AttributeValue: inetorgperson
                            AttributeValue: inetuser
                            AttributeValue: posixaccount
                            AttributeValue: krbprincipalaux
                            AttributeValue: krbticketpolicyaux
                            AttributeValue: ipaobject
                            AttributeValue: ipasshuser
                            AttributeValue: ipaSshGroupOfPubKeys
                            AttributeValue: mepOriginEntry
        [Response To: 83]
        [Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(6) success [10 results]
        messageID: 6
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
        [Response To: 83]
        [Time: 0.003821000 seconds]

SSH and WebGUI auth successful

#9 Updated by Jim Pingle 14 days ago

Looks like the errors some are seeing (including myself) are from /usr/local/etc/nss_ldap.conf not being setup as a symlink to /var/etc/pam_ldap.conf. On systems that work that file must have been removed manually or edited in some way. I added a line which removes that file before setting up the symlink and now it works for me.

Also available in: Atom PDF