OpenLDAP authenticating against Win NT domain PDC through PAM This version of the document is based on CYRUS SASL V 2.1.7 BerkeleyDB 4.0 pam_winbind (included in the SAMBA package) OpenLDAP 2.1.x people who need access to the prior version of this document (based on CYRUS SASL 1.5.26, pam_smb_auth, BerkelyDB 3.x) can read OpenLDAP-authenticating-with-PAM-V1.txt Context: We are trying to build a information system using OpenLDAP 2.1.x Due to structural and historical (some say hysterical) reasons we want to do the user authentication against a Windows NT PDC. We plan to use OpenLDAP => SASL (PLAIN, saslauthd) => PAM => pam_winbind => NT PDC to authenticate users I hope this paper will help people to save time in finding their own correct configuration and parameters when trying to use OpenLDAP with PAM. Part of these lines can maybe complement the OpenLDAP administrator's guide or be used to write an "How to". I apologize for my poor english, correction or a new writing will probably be needed... Jacques Landru -----oOo----- Jacques Landru mel: landru@enic.fr web: http://www.enic.fr/people/landru tel: (+33) 3 2033 5556 fax: (+33) 3 2033 5598 E.N.I.C. Cite scientifique, rue G. Marconi 59658 VILLENEUVE D'ASCQ Cedex web: http://www.enic.fr Tel: (+33) 3 2033 5577 Fax: (+33) 3 2033 5599 -----oOo----- ===== oOo ===== Step 1 : Compile and install BerkeleyDB ======================================= SASL uses BerkeleyDB database to store users and passwords. Install BerkeleyDB.x.y - in the build_unix directory $ ../dist/configure $ make $ make install BerkerleyDB ver x.y will bz installed in /usr/local/BerkeleyDB.x.y Step 2 : Compile and install OpenSSL ==================================== SASL authenticate with PAM using the unsecure SASL PLAIN mode. In PLAIN mode passwords are exchanged in clear text. OpenSSL, giving secure connexions, is recommended if you use PLAIN mode - in the OpenSSL directory $ ./config $ make $ make test $ make install This will build and install OpenSSL in the default location, which is (for historical reasons) /usr/local/ssl. Step 3 : Compile and install SASL ================================= As we don't have a Kerberos environment we disable this authentication we force argument --enable-plain and --with-pam To use BerkeleyDB.x.y compiled in step 1, create or modify CPPFLAGS and LDFAGS environment variables $ export CPPFLAGS="-I/usr/local/BerkeleyDB.x.y/include" \ LDFLAGS="-L/usr/local/BerkeleyDB.x.y/lib \ -R/usr/local/BerkeleyDB.x.y/lib" - in the cyrus-sasl directory # ./configure --with-pam=/lib/security --enable-plain --disable-krb4 \ --with-dblib=berkeley --enable-sample --with-saslauthd=/usr/local/var # make # make install As mentioned in the install script, you have to create a symbolic link /usr/lib/sasl2 targeted to /usr/local/lib/sasl2 Step 4 : create a SASLDB ======================== I don't know if this step is still needed with SASL 2.1.x As mentioned in the SASL Administrative guide CRAM-MD5 and DIGEST-MD5 don't appear avalaible until you don't have as SASLDB. Use saslpaswd commande to create a user called dummyuser. - in cyrus-sasl/utils directory # ./saslpasswd2 dummyuser Password: Again (for verification): After that you must have the database in /etc/sasldb2 file SASL library includes a sample server and a sample client applications for test and debug purpose. A test with the "dummyuser" we have just created can be performed. In two separate X terminals run cyrus sasl sample server and sample client. Specify sample as the service name - a) run the server and the client term-1 (sample server): # ./server -s sample trying 10, 1, 6 socket: Address family not supported by protocol trying 2, 1, 6 term-2(sample client): # ./client -s sample localhost term-1(sample server): displays accepted new connection send: {39} ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 recv: {10} DIGEST-MD5 recv: {1} N send: {109} nonce="8qMcrGdT+bfmKModlc/NTWGjJBnpSB6MClDwQATAApI=" \ ,realm="ldap",qop="auth",charset=utf-8,algorithm=md5-sess term-2(sample client): displays receiving capability list... recv: {39} ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 send: {10} DIGEST-MD5 send: {1} N recv: {109} nonce="8qMcrGdT+bfmKModlc/NTWGjJBnpSB6MClDwQATAApI=", \ realm="ldap",qop="auth",charset=utf-8,algorithm=md5-sess please enter an authentication id: term-2(sample client): asks for authentication id, authorization id and password. Enter dummyuser for both ids please enter an authentication id: dummyuser please enter an authorization id: dummyuser Password: term-1(sample server): displays recv: {233} username="dummyuser",realm="ldap", \ nonce="8qMcrGdT+bfmKModlc/NTWGjJBnpSB6MClDwQATAApI=", \ cnonce="iQWGnL+RXlxUGsnWzJ+aVUa1IuDVqNfz4SktMLwI5ko=",\ nc=00000001,qop=auth,digest-uri="sample/localhost", \ response=de8c01e33715476621c44c5e1418e22b send: {40} rspauth=a425969039750ffb8a45eaf52bd2e26b recv: {0} successful authentication 'dummyuser' closing connection term-2(sample client): displays send: {233} username="dummyuser",realm="ldap", \ nonce="8qMcrGdT+bfmKModlc/NTWGjJBnpSB6MClDwQATAApI=",\ cnonce="iQWGnL+RXlxUGsnWzJ+aVUa1IuDVqNfz4SktMLwI5ko=",\ nc=00000001,qop=auth,digest-uri="sample/localhost",\ response=de8c01e33715476621c44c5e1418e22b recv: {40} rspauth=a425969039750ffb8a45eaf52bd2e26b send: {0} successful authentication closing connection Step 5 : test SASL -> PAM authentication ======================================== Before integration of SASL -> PAM in OpenLDAP, testing SASL -> PAM mechanisms is recommended. SASL 2.1.x uses saslauthd deamon to authenticate with external authentication mechanisms. There're two ways to test the SASL -> PAM 5A) saslauthd comes with a testsasautd tool, 5B) SASL library includes a sample server and a sample client applications for test and debug purpose. In this step we consider that pam_winbind authentication method is OK: (see SAMBA documentation for more details) -a) pam_winbind.so is present in /usr/lib/security, -b) you have a /etc/samba/smb.conf in accordance with your Windows domain architecture, Important Note winbind separator is positionned with '_' character instead of the '+', because '+' is ambigous in a SASL context (+ is the realm separator) winbind parameters in my smb.conf files are . . . winbind separator = _ winbind cache time = 10 winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes . . . Nota winbind enum users and groups must be set to yes for both pam and nss to work !!! -c) winbindd daemon is running, -d) in the Win NT Domain we have a valid "test" user account. Step 5A) testing using testsaslauthd -a) in the saslauthd directory compile testsaslauthd programm $ make testsaslauthd -b) in the /etc/pam.d create the saslauthd file containing #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so -c) start saslauthd $ ./saslauthd -a pam -d) launch testsaslauthd with your test account in YOURWINDOWSDOMAIN $ testsaslauthd -u YOURWINDOWSDOMAIN_test -p testpasswd -s saslauthd 0: OK "Success." Note the '_' separator between YOURWINDOWSDOMAIN and test Step 5B) testing using sample server and client SASL sample will be used with "sample" service name - a) ceate a /usr/lib/sasl/sample.conf file indicating SASL to authenticate the sample service using PAM. This file contains one line pwcheck_method: saslauthd - b) in the /etc/pam.d directory create a conf PAM file named "sample" #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so -c) start saslauthd, if not yet running $ ./saslauthd -a pam We are now ready to schedule the sample client and server application authenticating as the "test" NT user. In two separate X terminals run cyrus sasl sample server and sample client. Specify sample as the service name - a) run the server and the client term-1 (sample server): # ./server -s sample trying 10, 1, 6 socket: Address family not supported by protocol trying 2, 1, 6 term-2(sample client): Note SASL mechanism in upper case in the command line # ./client -s sample -m PLAIN localhost term-1(sample server): displays accepted new connection send: {39} ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 term-2(sample client): displays receiving capability list... recv: {39} ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 ANONYMOUS PLAIN OTP DIGEST-MD5 CRAM-MD5 please enter an authentication id: term-2(sample client): asks for authentication id, authorization id and password. Enter YOURWINDOWSDOMAIN_test for both ids Note the '_' separator between YOURWINDOWSDOMAIN and test please enter an authentication id: YOURWINDOWSDOMAIN_test please enter an authorization id: YOURWINDOWSDOMAIN_test Password: term-1(sample server): displays recv: {5} PLAIN recv: {1} Y recv: {41} YOURWINDOWSDOMAIN_test[0]YOURWINDOWSDOMAIN_test[0]testpasswd successful authentication 'YOURWINDOWSDOMAIN_test' closing connection term-2(sample client): displays send: {5} PLAIN send: {1} Y send: {41} YOURWINDOWSDOMAIN_test[0]YOURWINDOWSDOMAIN_test[0]testpasswd successful authentication closing connection We have now an operational SASL (PLAIN, saslauthd) => PAM => PAM_WINBIND => NT domain PDC authentication mechanism Step 6 : compile and install OpenLDAP enabling cyrus SASL mechanism and SASL password ====================================================================================== --with_cyrus_sasl and --enable-spasswd - in openldap directory # ./configure --with-cyrus-sasl --enable-spasswd --enable-monitor # make depend # make # make test # make install ... more details in OpenLDAP install file Note --enable-monitor is for test on my server Step 7 : configure SLAPD to use SASL PLAIN mechanism ==================================================== In OpenLDAP the parameter named sasl-secprops is by default "noanonymous,noplain". So if you want PLAIN you should set it to "none". On the LDAP client side SASL mechanisms are governed by the SASL_SECPROPS parameter in the /usr/local/etc/openldap/ldap.conf file # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never SASL_SECPROPS none On the server side; SASL mechanisms are governed by sasl-host, sasl-realm and sasl-secprops parameters in the global configuration option part of the slapd.conf file. Set the sasl-secprops to "none" to clear the flag properties default ("noanonimous,noplain"). ... # # S A S L secprops # sasl-secprops none ... Step 8 : configure SASL pwdcheck_methode for SLAPD service ========================================================== create the /usr/lib/sasl2/slapd.conf file with this single line pwcheck_method: saslauthd Step 9 : configure pam parameters for slapd service using pam_winbind ====================================================================== In the /etc/pam.d directory create file named "ldap" and containing #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_winbind.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Step 10 : Verify which SASL mechanisms are presented by slapd server =================================================================== To see the SASL mechanisms supported by the server you can use ldapsearch command in two ways -a) (Quick and dirty) use ldapserch with debug level set to 2 you will then see int the PDU trace which mecanisms are listed # /usr/local/bin/ldapsearch -d 2 -d) do a ldapsearch on the supportedSASLMechanisms attribute of the DSE # /usr/local/bin/ldapsearch -x -L -s "base" -b "" supportedSaslMechanisms version: 1 # # LDAPv3 # filter: (objectclass=*) # requesting: supportedSaslMechanisms # # dn: supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: PLAIN supportedSASLMechanisms: OTP supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 # search result # numResponses: 2 # numEntries: 1 Step 10 : Make a LDAP query with the Win NT test user ===================================================== # /usr/local/bin/ldapsearch -L -b "dc=enic,dc=fr" \ -U YOURWINDOWSDOMAIN_test -Y PLAIN "(objectclass=*)" SASL/PLAIN authentication started Please enter your password: SASL username: YOURWINDOWSDOMAIN_test SASL SSF: 0 version: 1 # # LDAPv3 # filter: (objectclass=*) # requesting: ALL # ... (note : in the above example replace b "dc=enic,dc=fr" with the right base of your server). Step 11 : Securing clear-text password exchange (Need to be completed...) ========================================================================= *** W A R N I N G **** clear text password exchange (SASL PLAIN mode) should be avoided. Activation of SSL or TLS mechanisms (using openSSL) needs to be activated this paper needs to be completed !!! ===== oOo =====