Project

General

Profile

Actions

Feature #8698

closed

LDAP authenticated users should be able to log in via ssh

Added by Eric Houston over 6 years ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
07/26/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

We integrate pfsense against our Active Directory systems for authentication and authorization. Works well for the most part but we've discovered that LDAP authenticated users are unable to access the cli via ssh. This is unfortunate as we have security scanners, etc., that need this functionality in order to work properly.

Actions #1

Updated by Jim Pingle almost 6 years ago

  • Category set to User Manager / Privileges
  • Assignee set to Jim Pingle

After #9399 this is one step closer.

Actions #2

Updated by Jim Pingle over 5 years ago

  • Category changed from User Manager / Privileges to Authentication
Actions #4

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #5

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #6

Updated by Viktor Gurov about 4 years ago

  • % Done changed from 0 to 100
Actions #7

Updated by Max Leighton about 4 years ago

Testing this with Active Directory, I'm able to successfully log into the webGUI with LDAP credentials, but attempting to log in via SSH hangs entering the username and the pfSense web interface becomes unresponsive. The system logs show repeated entries of:

Nov 11 09:58:46 su 34885 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Nov 11 09:58:46 su 34885 nss_ldap: could not search LDAP server - Server is unavailable

The LDAP server is selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which is working to allow login to the GUI:

CN=Users,CN=Builtin,DC=lab,DC=local

Tested in:
2.5.0-DEVELOPMENT (amd64)
built on Tue Nov 10 01:00:03 EST 2020
FreeBSD 12.2-STABLE

Actions #8

Updated by Viktor Gurov about 4 years ago

pfSense 2.5.0.a.20201111.1850 test with FreeIPA server 4.8.4:

Authentication server configuration:

                <authserver>
                        <refid>5f81b3e5799d3</refid>
                        <type>ldap</type>
                        <name>FreeIPA</name>
                        <ldap_caref>global</ldap_caref>
                        <host>192.168.88.91</host>
                        <ldap_port>389</ldap_port>
                        <ldap_urltype>Standard TCP</ldap_urltype>
                        <ldap_protver>3</ldap_protver>
                        <ldap_scope>subtree</ldap_scope>
                        <ldap_basedn><![CDATA[DC=pand,DC=int]]></ldap_basedn>
                        <ldap_authcn><![CDATA[cn=accounts,dc=pand,dc=int]]></ldap_authcn>
                        <ldap_extended_enabled></ldap_extended_enabled>
                        <ldap_extended_query><![CDATA[&amp;(objectClass=ipausergroup)(cn=vpnipa)(member=*)))]]></ldap_extended_query>
                        <ldap_attr_user><![CDATA[uid]]></ldap_attr_user>
                        <ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
                        <ldap_attr_member><![CDATA[member]]></ldap_attr_member>
                        <ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
                        <ldap_allow_unauthenticated></ldap_allow_unauthenticated>
                        <ldap_timeout>25</ldap_timeout>
                        <ldap_pam_groupdn><![CDATA[cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int]]></ldap_pam_groupdn>
                        <ldap_binddn><![CDATA[uid=admin,cn=users,cn=compat,dc=pand,dc=int]]></ldap_binddn>
                        <ldap_bindpw><![CDATA[123]]></ldap_bindpw>
                        <ldap_rfc2307></ldap_rfc2307>
                        <ldap_rfc2307_userdn></ldap_rfc2307_userdn>
                </authserver>

ipatest LDIF data:

# ipatest, users, accounts, pand.int
dn: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
givenName: first
sn: last
uid: ipatest
cn: first last
displayName: first last
initials: fl
gecos: first last
krbPrincipalName: ipatest@PAND.INT
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/ipatest
mail: ipatest@pand.int
krbCanonicalName: ipatest@PAND.INT
ipaUniqueID: 03a2a360-c7ed-11ea-9b26-860d7bafc7f2
uidNumber: 1000000001
gidNumber: 1000000001
krbPasswordExpiration: 20200720094800Z
krbLastPwdChange: 20200720094800Z
krbExtraData:: AAJQaBVfcm9vdC9hZG1pbkBQQU5ELklOVAA=
mepManagedEntry: cn=ipatest,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int
memberOf: cn=othertestgroup,cn=groups,cn=accounts,dc=pand,dc=int
krbLoginFailedCount: 0
krbLastFailedAuth: 20201021102340Z

# vpnipa, groups, accounts, pand.int
dn: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int
cn: vpnipa
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2
gidNumber: 1000000004
member: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int

part of LDAP traffic dump:

Internet Protocol Version 4, Src: 192.168.88.41, Dst: 192.168.88.91
Transmission Control Protocol, Src Port: 25859, Dst Port: 389, Seq: 1077, Ack: 2947, Len: 250
Lightweight Directory Access Protocol
    LDAPMessage searchRequest(6) "DC=pand,DC=int" wholeSubtree
        messageID: 6
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: DC=pand,DC=int
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 1
                timeLimit: 25
                typesOnly: False
                Filter: (&(objectClass=posixAccount)(uid=ipatest))
                    filter: and (0)
                        and: (&(objectClass=posixAccount)(uid=ipatest))
                            and: 2 items
                                Filter: (objectClass=posixAccount)
                                    and item: equalityMatch (3)
                                        equalityMatch
                                            attributeDesc: objectClass
                                            assertionValue: posixAccount
                                Filter: (uid=ipatest)
                                    and item: equalityMatch (3)
                                        equalityMatch
                                            attributeDesc: uid
                                            assertionValue: ipatest
                attributes: 14 items
                    AttributeDescription: uid
                    AttributeDescription: userPassword
                    AttributeDescription: uidNumber
                    AttributeDescription: gidNumber
                    AttributeDescription: cn
                    AttributeDescription: homeDirectory
                    AttributeDescription: loginShell
                    AttributeDescription: gecos
                    AttributeDescription: description
                    AttributeDescription: objectClass
                    AttributeDescription: shadowLastChange
                    AttributeDescription: shadowMax
                    AttributeDescription: shadowExpire
                    AttributeDescription: loginClass
        [Response In: 84]

Internet Protocol Version 4, Src: 192.168.88.91, Dst: 192.168.88.41
Transmission Control Protocol, Src Port: 389, Dst Port: 25859, Seq: 2947, Ack: 1327, Len: 733
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=compat,dc=pand,dc=int" [10 results]
        messageID: 6
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: uid=ipatest,cn=users,cn=compat,dc=pand,dc=int
                attributes: 8 items
                    PartialAttributeList item uid
                        type: uid
                        vals: 1 item
                            AttributeValue: ipatest
                    PartialAttributeList item uidNumber
                        type: uidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item gidNumber
                        type: gidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item cn
                        type: cn
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item homeDirectory
                        type: homeDirectory
                        vals: 1 item
                            AttributeValue: /home/ipatest
                    PartialAttributeList item loginShell
                        type: loginShell
                        vals: 1 item
                            AttributeValue: /bin/sh
                    PartialAttributeList item gecos
                        type: gecos
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 3 items
                            AttributeValue: posixAccount
                            AttributeValue: ipaOverrideTarget
                            AttributeValue: top
        [Response To: 83]
        [Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
    LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int" [10 results]
        messageID: 6
        protocolOp: searchResEntry (4)
            searchResEntry
                objectName: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
                attributes: 8 items
                    PartialAttributeList item uid
                        type: uid
                        vals: 1 item
                            AttributeValue: ipatest
                    PartialAttributeList item uidNumber
                        type: uidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item gidNumber
                        type: gidNumber
                        vals: 1 item
                            AttributeValue: 1000000001
                    PartialAttributeList item cn
                        type: cn
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item homeDirectory
                        type: homeDirectory
                        vals: 1 item
                            AttributeValue: /home/ipatest
                    PartialAttributeList item loginShell
                        type: loginShell
                        vals: 1 item
                            AttributeValue: /bin/sh
                    PartialAttributeList item gecos
                        type: gecos
                        vals: 1 item
                            AttributeValue: first last
                    PartialAttributeList item objectClass
                        type: objectClass
                        vals: 12 items
                            AttributeValue: top
                            AttributeValue: person
                            AttributeValue: organizationalperson
                            AttributeValue: inetorgperson
                            AttributeValue: inetuser
                            AttributeValue: posixaccount
                            AttributeValue: krbprincipalaux
                            AttributeValue: krbticketpolicyaux
                            AttributeValue: ipaobject
                            AttributeValue: ipasshuser
                            AttributeValue: ipaSshGroupOfPubKeys
                            AttributeValue: mepOriginEntry
        [Response To: 83]
        [Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(6) success [10 results]
        messageID: 6
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN: 
                errorMessage: 
        [Response To: 83]
        [Time: 0.003821000 seconds]

SSH and WebGUI auth successful

Actions #9

Updated by Jim Pingle about 4 years ago

Looks like the errors some are seeing (including myself) are from /usr/local/etc/nss_ldap.conf not being setup as a symlink to /var/etc/pam_ldap.conf. On systems that work that file must have been removed manually or edited in some way. I added a line which removes that file before setting up the symlink and now it works for me.

Actions #10

Updated by Max Leighton about 4 years ago

Tested in

2.5.0-DEVELOPMENT (amd64)
built on Fri Nov 27 07:03:36 EST 2020
FreeBSD 12.2-STABLE

Appears to be working well now. The nss_ldap errors are no longer present. I can successfully authenticate to AD with SSH, and after authentication I'm immediately in a shell, and have to start /etc/rc.initial manually to get the SSH menu.

Actions #11

Updated by Jim Pingle about 4 years ago

  • Status changed from Feedback to Resolved
Actions #12

Updated by Tai Join 11 months ago

I'm having the same issue that Max Leighton had previously about 3 years ago

I'm also able to login via webGUI with LDAP credentials, but attempting to log in via SSH fails with Access Denied.

Just like Max Leighton's case, the LDAP server is also selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which was also working to allow LDAP login to the GUI.

The only difference is I'm using stunnel with Google LDAP instead of Microsoft AD.

Tested in:
2.7.2-RELEASE (amd64)
built on Fri Dec 8 12:55:00 PST 2023
FreeBSD 14.0-CURRENT

Jan 30 15:20:06     sshd     80256     nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:06     sshd     80256     nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:06     sshd     80256     pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:06     sshd     80256     pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:06     sshd     80256     pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05     sshd     57323     Postponed keyboard-interactive for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2 [preauth]
Jan 30 15:20:05     sshd     57323     Failed keyboard-interactive/pam for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2
Jan 30 15:20:05     sshd     57323     error: PAM: Authentication error for illegal user first.last@domainame.com from 192.168.110.102
Jan 30 15:20:05     sshd     80205     nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:05     sshd     80205     nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:05     sshd     80205     pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05     sshd     80205     pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:05     sshd     80205     pam_ldap: ldap_simple_bind Can't contact LDAP server
Actions

Also available in: Atom PDF