Feature #8698
closed
LDAP authenticated users should be able to log in via ssh
100%
Description
We integrate pfsense against our Active Directory systems for authentication and authorization. Works well for the most part but we've discovered that LDAP authenticated users are unable to access the cli via ssh. This is unfortunate as we have security scanners, etc., that need this functionality in order to work properly.
Updated by Jim Pingle over 6 years ago
- Category set to User Manager / Privileges
- Assignee set to Jim Pingle
After #9399 this is one step closer.
Updated by Jim Pingle about 6 years ago
- Category changed from User Manager / Privileges to Authentication
Updated by Viktor Gurov about 5 years ago
Updated by Jim Pingle about 5 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho almost 5 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov almost 5 years ago
- % Done changed from 0 to 100
Applied in changeset ca8459cdafafd225fbc07edbc32679b8301298fc.
Updated by Max Leighton almost 5 years ago
Testing this with Active Directory, I'm able to successfully log into the webGUI with LDAP credentials, but attempting to log in via SSH hangs entering the username and the pfSense web interface becomes unresponsive. The system logs show repeated entries of:
Nov 11 09:58:46 su 34885 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Nov 11 09:58:46 su 34885 nss_ldap: could not search LDAP server - Server is unavailable
The LDAP server is selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which is working to allow login to the GUI:
CN=Users,CN=Builtin,DC=lab,DC=local
Tested in:
2.5.0-DEVELOPMENT (amd64)
built on Tue Nov 10 01:00:03 EST 2020
FreeBSD 12.2-STABLE
Updated by Viktor Gurov almost 5 years ago
pfSense 2.5.0.a.20201111.1850 test with FreeIPA server 4.8.4:
Authentication server configuration:
<authserver>
<refid>5f81b3e5799d3</refid>
<type>ldap</type>
<name>FreeIPA</name>
<ldap_caref>global</ldap_caref>
<host>192.168.88.91</host>
<ldap_port>389</ldap_port>
<ldap_urltype>Standard TCP</ldap_urltype>
<ldap_protver>3</ldap_protver>
<ldap_scope>subtree</ldap_scope>
<ldap_basedn><![CDATA[DC=pand,DC=int]]></ldap_basedn>
<ldap_authcn><![CDATA[cn=accounts,dc=pand,dc=int]]></ldap_authcn>
<ldap_extended_enabled></ldap_extended_enabled>
<ldap_extended_query><![CDATA[&(objectClass=ipausergroup)(cn=vpnipa)(member=*)))]]></ldap_extended_query>
<ldap_attr_user><![CDATA[uid]]></ldap_attr_user>
<ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
<ldap_attr_member><![CDATA[member]]></ldap_attr_member>
<ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
<ldap_allow_unauthenticated></ldap_allow_unauthenticated>
<ldap_timeout>25</ldap_timeout>
<ldap_pam_groupdn><![CDATA[cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int]]></ldap_pam_groupdn>
<ldap_binddn><![CDATA[uid=admin,cn=users,cn=compat,dc=pand,dc=int]]></ldap_binddn>
<ldap_bindpw><![CDATA[123]]></ldap_bindpw>
<ldap_rfc2307></ldap_rfc2307>
<ldap_rfc2307_userdn></ldap_rfc2307_userdn>
</authserver>
ipatest LDIF data:
# ipatest, users, accounts, pand.int dn: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int givenName: first sn: last uid: ipatest cn: first last displayName: first last initials: fl gecos: first last krbPrincipalName: ipatest@PAND.INT objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/ipatest mail: ipatest@pand.int krbCanonicalName: ipatest@PAND.INT ipaUniqueID: 03a2a360-c7ed-11ea-9b26-860d7bafc7f2 uidNumber: 1000000001 gidNumber: 1000000001 krbPasswordExpiration: 20200720094800Z krbLastPwdChange: 20200720094800Z krbExtraData:: AAJQaBVfcm9vdC9hZG1pbkBQQU5ELklOVAA= mepManagedEntry: cn=ipatest,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=ipausers,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int memberOf: cn=othertestgroup,cn=groups,cn=accounts,dc=pand,dc=int krbLoginFailedCount: 0 krbLastFailedAuth: 20201021102340Z # vpnipa, groups, accounts, pand.int dn: cn=vpnipa,cn=groups,cn=accounts,dc=pand,dc=int cn: vpnipa objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 925d9524-c7ed-11ea-9001-860d7bafc7f2 gidNumber: 1000000004 member: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
part of LDAP traffic dump:
Internet Protocol Version 4, Src: 192.168.88.41, Dst: 192.168.88.91
Transmission Control Protocol, Src Port: 25859, Dst Port: 389, Seq: 1077, Ack: 2947, Len: 250
Lightweight Directory Access Protocol
LDAPMessage searchRequest(6) "DC=pand,DC=int" wholeSubtree
messageID: 6
protocolOp: searchRequest (3)
searchRequest
baseObject: DC=pand,DC=int
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 1
timeLimit: 25
typesOnly: False
Filter: (&(objectClass=posixAccount)(uid=ipatest))
filter: and (0)
and: (&(objectClass=posixAccount)(uid=ipatest))
and: 2 items
Filter: (objectClass=posixAccount)
and item: equalityMatch (3)
equalityMatch
attributeDesc: objectClass
assertionValue: posixAccount
Filter: (uid=ipatest)
and item: equalityMatch (3)
equalityMatch
attributeDesc: uid
assertionValue: ipatest
attributes: 14 items
AttributeDescription: uid
AttributeDescription: userPassword
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: cn
AttributeDescription: homeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
AttributeDescription: description
AttributeDescription: objectClass
AttributeDescription: shadowLastChange
AttributeDescription: shadowMax
AttributeDescription: shadowExpire
AttributeDescription: loginClass
[Response In: 84]
Internet Protocol Version 4, Src: 192.168.88.91, Dst: 192.168.88.41
Transmission Control Protocol, Src Port: 389, Dst Port: 25859, Seq: 2947, Ack: 1327, Len: 733
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=compat,dc=pand,dc=int" [10 results]
messageID: 6
protocolOp: searchResEntry (4)
searchResEntry
objectName: uid=ipatest,cn=users,cn=compat,dc=pand,dc=int
attributes: 8 items
PartialAttributeList item uid
type: uid
vals: 1 item
AttributeValue: ipatest
PartialAttributeList item uidNumber
type: uidNumber
vals: 1 item
AttributeValue: 1000000001
PartialAttributeList item gidNumber
type: gidNumber
vals: 1 item
AttributeValue: 1000000001
PartialAttributeList item cn
type: cn
vals: 1 item
AttributeValue: first last
PartialAttributeList item homeDirectory
type: homeDirectory
vals: 1 item
AttributeValue: /home/ipatest
PartialAttributeList item loginShell
type: loginShell
vals: 1 item
AttributeValue: /bin/sh
PartialAttributeList item gecos
type: gecos
vals: 1 item
AttributeValue: first last
PartialAttributeList item objectClass
type: objectClass
vals: 3 items
AttributeValue: posixAccount
AttributeValue: ipaOverrideTarget
AttributeValue: top
[Response To: 83]
[Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(6) "uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int" [10 results]
messageID: 6
protocolOp: searchResEntry (4)
searchResEntry
objectName: uid=ipatest,cn=users,cn=accounts,dc=pand,dc=int
attributes: 8 items
PartialAttributeList item uid
type: uid
vals: 1 item
AttributeValue: ipatest
PartialAttributeList item uidNumber
type: uidNumber
vals: 1 item
AttributeValue: 1000000001
PartialAttributeList item gidNumber
type: gidNumber
vals: 1 item
AttributeValue: 1000000001
PartialAttributeList item cn
type: cn
vals: 1 item
AttributeValue: first last
PartialAttributeList item homeDirectory
type: homeDirectory
vals: 1 item
AttributeValue: /home/ipatest
PartialAttributeList item loginShell
type: loginShell
vals: 1 item
AttributeValue: /bin/sh
PartialAttributeList item gecos
type: gecos
vals: 1 item
AttributeValue: first last
PartialAttributeList item objectClass
type: objectClass
vals: 12 items
AttributeValue: top
AttributeValue: person
AttributeValue: organizationalperson
AttributeValue: inetorgperson
AttributeValue: inetuser
AttributeValue: posixaccount
AttributeValue: krbprincipalaux
AttributeValue: krbticketpolicyaux
AttributeValue: ipaobject
AttributeValue: ipasshuser
AttributeValue: ipaSshGroupOfPubKeys
AttributeValue: mepOriginEntry
[Response To: 83]
[Time: 0.003821000 seconds]
Lightweight Directory Access Protocol
LDAPMessage searchResDone(6) success [10 results]
messageID: 6
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 83]
[Time: 0.003821000 seconds]
SSH and WebGUI auth successful
Updated by Jim Pingle almost 5 years ago
Looks like the errors some are seeing (including myself) are from /usr/local/etc/nss_ldap.conf not being setup as a symlink to /var/etc/pam_ldap.conf. On systems that work that file must have been removed manually or edited in some way. I added a line which removes that file before setting up the symlink and now it works for me.
Updated by Max Leighton almost 5 years ago
Tested in
2.5.0-DEVELOPMENT (amd64)
built on Fri Nov 27 07:03:36 EST 2020
FreeBSD 12.2-STABLE
Appears to be working well now. The nss_ldap errors are no longer present. I can successfully authenticate to AD with SSH, and after authentication I'm immediately in a shell, and have to start /etc/rc.initial manually to get the SSH menu.
Updated by Jim Pingle almost 5 years ago
- Status changed from Feedback to Resolved
Updated by Tai Join over 1 year ago
I'm having the same issue that Max Leighton had previously about 3 years ago
I'm also able to login via webGUI with LDAP credentials, but attempting to log in via SSH fails with Access Denied.
Just like Max Leighton's case, the LDAP server is also selected as the Authentication Server with Shell Authentication checked, and the Shell Authentication Group is set to the same as my extended query which was also working to allow LDAP login to the GUI.
The only difference is I'm using stunnel with Google LDAP instead of Microsoft AD.
Tested in:
2.7.2-RELEASE (amd64)
built on Fri Dec 8 12:55:00 PST 2023
FreeBSD 14.0-CURRENT
Jan 30 15:20:06 sshd 80256 nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:06 sshd 80256 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:06 sshd 80256 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:06 sshd 80256 pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:06 sshd 80256 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05 sshd 57323 Postponed keyboard-interactive for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2 [preauth]
Jan 30 15:20:05 sshd 57323 Failed keyboard-interactive/pam for invalid user first.last@domainame.com from 192.168.110.102 port 52767 ssh2
Jan 30 15:20:05 sshd 57323 error: PAM: Authentication error for illegal user first.last@domainame.com from 192.168.110.102
Jan 30 15:20:05 sshd 80205 nss_ldap: could not search LDAP server - Server is unavailable
Jan 30 15:20:05 sshd 80205 nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server
Jan 30 15:20:05 sshd 80205 pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 30 15:20:05 sshd 80205 pam_ldap: reconnecting to LDAP server...
Jan 30 15:20:05 sshd 80205 pam_ldap: ldap_simple_bind Can't contact LDAP server