Stefan Kania | 1 Mar 16:42 2011
Picon

Authentication over certificates


Hi,

I would like to configure my LDAP-Server with the option
"TLSVerifyClient demand" so that the authentication is only possible
with certificates. I created the certificate for the user that should
log in to the LAM. On the commandline everything is working fine. Now I
would like to do the authentication over certificats with LAM too.
Is this possible?

Best regards

Stefan

Roland Gruber | 2 Mar 19:16 2011
Picon

Re: Authentication over certificates


Hi Stefan,

Am 01.03.2011 16:42, schrieb Stefan Kania:
> I would like to configure my LDAP-Server with the option
> "TLSVerifyClient demand" so that the authentication is only possible
> with certificates. I created the certificate for the user that should
> log in to the LAM. On the commandline everything is working fine. Now I
> would like to do the authentication over certificats with LAM too.
> Is this possible?

I never tried but probably this can be done by changing /etc/ldap.conf
or /etc/ldap/ldap.conf. This file is also used to setup the trusted CAs
for LDAP+SSL/TLS.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
Simon Zihlmann | 2 Mar 22:05 2011
Picon
Picon

Lamdaemon, Test fails

Hi,
I've got the newest LAM 3.3.0 running on a Ubuntu 10.04.
LDAP-authentication is working properly and I can login/ssh with
testusers on the machine. I can also ssh with the "manager", which is
the administrator for the LAM. However, the lamdaemon test fails:

Lamdaemon Server und Pfad:  Es wird localhost als Lamdaemon-Server
verwendet.
Unix-Account: Für die Verbindung zum Remote-Server wird manager verwendet.
SSH-Verbindung: Kann keine Verbindung zum Server herstellen!
(In English, everything works well until the SSH-connecttion could no be
established)

What might be the problem?
Which other information do you need?
Thanks a lot and with kind regards
Simon

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
Darin Perusich | 2 Mar 22:19 2011

posixGroup, groupOfUniqueNames and OpenDJ

Hello All,

I'm running lamPRO 3.3.0 with OpenDJ 2.4 for my LDAP server and I'm
running into some problems when creating groups.  When I run the schema
test I get a message that the attribute 'cn' is not supported by the
objectClass posixGroup and when creating a group I get a message that
the server is unwilling to perform that action.

In OpenDJ when creating a posixGroup, that entry must also have a
structural objectClass, either groupOfUniqueNames or groupOfNames,
associated with it. I'm assuming this is the reason for the error and
not being able to create a group, except via the tree view.

Can anyone confirm this? And is there a way I can enable or set this so
one of the structural objectClasses is being, I'd prefer
groupOfUniqueNames, and if so how? If not how can I hack the code so it
is? I've started looking at the source but was hoping some could provide
an answer to this more quickly.

Thanks!

Valid posixGroup entry:
dn: cn=users,ou=group,dc=domain,dc=com
cn: users
gidNumber: 100
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top

--
(Continue reading)

Leopold Palomo-Avellaneda | 3 Mar 09:27 2011
Picon

Re: Lamdaemon, Test fails

A Dimecres, 2 de març de 2011, Simon Zihlmann va escriure:
> Hi,
> I've got the newest LAM 3.3.0 running on a Ubuntu 10.04.
> LDAP-authentication is working properly and I can login/ssh with
> testusers on the machine. I can also ssh with the "manager", which is
> the administrator for the LAM. However, the lamdaemon test fails:
> 
> Lamdaemon Server und Pfad:  Es wird localhost als Lamdaemon-Server
> verwendet.
> Unix-Account: Für die Verbindung zum Remote-Server wird manager verwendet.
> SSH-Verbindung: Kann keine Verbindung zum Server herstellen!
> (In English, everything works well until the SSH-connecttion could no be
> established)
> 
> What might be the problem?
> Which other information do you need?
> Thanks a lot and with kind regards
> Simon
> 

I got similar problems in the past. If it's what I think, be sure that 

ssh manager <at> localhost or
ssh manager <at> where_is_running_lam

works.

In my case was something so stupid as to say yes to accept the key the first 
time.

(Continue reading)

S.Zihlmann | 3 Mar 13:29 2011
Picon
Picon

Re: Lamdaemon, Test fails

Hi,
> I got similar problems in the past. If it's what I think, be sure that
>
> ssh manager <at> localhost or
> ssh manager <at> where_is_running_lam
>
> works.
>
> In my case was something so stupid as to say yes to accept the key the first
> time.

Yes, this works without problem. Even from the manager account  
(manager <at> host: ssh manager <at> localhost works without any problem).

I also accepted the hos-key (as I was running ssh manager <at> localhost  
from the manager account the first time, so the  
/home/manager/.ss/known_host includes the host-key from localhost  
(where lam runs and the homedirs should be created).

Simon

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
(Continue reading)

Roland Gruber | 3 Mar 19:27 2011
Picon

Re: posixGroup, groupOfUniqueNames and OpenDJ


Hi Darin,

Am 02.03.2011 22:19, schrieb Darin Perusich:
> Can anyone confirm this? And is there a way I can enable or set this so
> one of the structural objectClasses is being, I'd prefer
> groupOfUniqueNames, and if so how? If not how can I hack the code so it
> is? I've started looking at the source but was hoping some could provide
> an answer to this more quickly.

please edit your LAM server profile. In the modules selection for groups
please remove the posixGroup module and add
groupOfUniqueNames+rfc2307bisPosixGroup.
I guess you are using Suse Linux which uses a special posixGroup object
class.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
Roland Gruber | 3 Mar 19:32 2011
Picon

Re: Lamdaemon, Test fails


Hi Simon,

Am 03.03.2011 13:29, schrieb S.Zihlmann@...:
> I also accepted the hos-key (as I was running ssh manager <at> localhost  
> from the manager account the first time, so the  
> /home/manager/.ss/known_host includes the host-key from localhost  
> (where lam runs and the homedirs should be created).

please try the SSH connection when you are your Apache user (e.g.
www-data/www-run). Please also check your logs (/var/log/syslog) if the
SSH daemon reports anything if and why the connection is not accepted.
If this does not help please check with wireshark/tcpdump if there is
really a connection attempt to SSH.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
Darin Perusich | 3 Mar 20:38 2011

Re: posixGroup, groupOfUniqueNames and OpenDJ

Hi Roland,

> 
> please edit your LAM server profile. In the modules selection for
> groups
> please remove the posixGroup module and add
> groupOfUniqueNames+rfc2307bisPosixGroup.
> I guess you are using Suse Linux which uses a special posixGroup
object
> class.

While my clients are OpenSUSE I am using the OpenDJ LDAP server,
http://www.forgerock.com/opendj.html. It's the continuation of OpenDS
after Oracle affectively killed the project by abandoning it.

I've set "types: modules_group: groupOfUniqueNames,rfc2307bisPosixGroup"
in my server profile but when I attempt to create a posixGroup I'm
getting a message that I need to add at least one member to the group.
Technically this is not required by the schema, see the objectClass
definition below. The OpenLDAP schema is based on RFC2256 where a
uniqueMember is required. 

Is this hardcoded into LAM or is it determining referencing the schema
from the server?

objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL
  MUST cn MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $
o $
  description ) X-ORIGIN 'RFC 4519' )
The information transmitted is intended only for the person or entity to which
(Continue reading)

Simon Zihlmann | 3 Mar 21:28 2011
Picon
Picon

Re: Lamdaemon, Test fails

Hi,

> please try the SSH connection when you are your Apache user (e.g.
> www-data/www-run). 
I've tried this and I had to accept the host-key, but it worked.
> Please also check your logs (/var/log/syslog) if the
> SSH daemon reports anything if and why the connection is not accepted.
Here are the messages (first ssh from apache-user (www-data), second LAM
test):

1)
syslog:
Mar  3 21:22:14 ARGLOS nslcd[863]: [2dba31] connected to LDAP server
ldap://127.0.0.1/

auth.log:
Mar  3 21:22:14 ARGLOS sshd[2153]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=manager
Mar  3 21:22:14 ARGLOS sshd[2153]: Accepted password for manager from
::1 port 48108 ssh2
Mar  3 21:22:14 ARGLOS sshd[2153]: pam_unix(sshd:session): session
opened for user manager by (uid=0)

2)
syslog:
Mar  3 21:24:55 ARGLOS nslcd[863]: [7130a3] failed to bind to LDAP
server ldap://127.0.0.1/: Invalid credentials: Success

auth.log:
Mar  3 21:24:55 ARGLOS sshd[2248]: pam_unix(sshd:auth): authentication
(Continue reading)


Gmane