Bareos LDAP-Authetification on Bareos WebUI & bconsole
410 views
Skip to first unread message
stefan....@harnet.de
Jul 29, 2023, 6:15:36 AM7/29/23
to bareos-users
Hello,
i'm using Bareos version 22.1.1 and trying to set up authentication via LDAP. I'm trying to log in with the LDAP user "stefan.harbich". Unfortunately without success. Here are my configuration changes:
...
...
root@dsme01:~# cat /etc/pam.d/bareos
auth required pam_unix.so
## auth required pam_sss.so
account required pam_unix.so
account required pam_permit.so
auth required pam_unix.so
## auth required pam_sss.so
account required pam_unix.so
account required pam_permit.so
...
root@dsme01:~# cat /etc/bareos/bconsole.conf
#
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
## address = localhost
address = bareos.intern.example.com
Password = "gYl8UCe/4EnxFfsBdW5dzzWads+#############+###"
Description = "Bareos Console credentials for local Director"
}
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
## address = localhost
address = bareos.intern.example.com
Password = "gYl8UCe/4EnxFfsBdW5dzzWads+#############+###"
Description = "Bareos Console credentials for local Director"
}
...
root@dsme01:~# cat /etc/bareos/bareos-dir.d/console/pam-console.conf
Console {
Name = "bareos-dir"
Password = "gYl8UCe/4EnxFfsBdW5dzzWads+#############+###"
UsePamAuthentication = yes
}
Console {
Name = "bareos-dir"
Password = "gYl8UCe/4EnxFfsBdW5dzzWads+#############+###"
UsePamAuthentication = yes
}
...
root@dsme01:~# cat /etc/bareos/bareos-dir.d/user/stefan.harbich.conf
User {
Name = "stefan.harbich"
CommandACL = status, .status
JobACL = *all*
}
User {
Name = "stefan.harbich"
CommandACL = status, .status
JobACL = *all*
}
...
I added the user bareos to the root group.
Do you have any tips for me on what else I can check?
Greetings from Stefan Harbich
Do you have any tips for me on what else I can check?
Greetings from Stefan Harbich
Jörg Steffens
Jul 31, 2023, 5:57:14 AM7/31/23
to bareos...@googlegroups.com
On 29.07.23 at 12:15 wrote stefan....@harnet.de:
Have you seen the hints from
https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration
?
It explains how to test the PAM configuration only be using pamtester as
user bareos, instead of using the Bareos daemons.
Regards,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-0
https://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz
https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration
?
It explains how to test the PAM configuration only be using pamtester as
user bareos, instead of using the Bareos daemons.
Regards,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-0
https://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz
Jörg Steffens
Jul 31, 2023, 9:14:34 AM7/31/23
to bareos...@googlegroups.com
As a collegue just pointed out, at least in bareos-21, there had been a
bug/crash when used without (empty) credentials, see
https://bugs.bareos.org/view.php?id=1446
Bareos GmbH & Co. KG Phone: +49 221 630693-91
bug/crash when used without (empty) credentials, see
https://bugs.bareos.org/view.php?id=1446
Bareos GmbH & Co. KG Phone: +49 221 630693-91
Andreas Rogge
Aug 3, 2023, 8:26:10 AM8/3/23
to bareos...@googlegroups.com
Am 29.07.23 um 12:15 schrieb stefan....@harnet.de:
mentioned that you added bareos to the "root" group. However, on
Fedora/RHEL this doesn't seem to do a thing and on Debian the required
group is called "shadow" instead.
Long story short: make sure the bareos director can read /etc/shadow or
- if you want LDAP - don't try setting up pam_unix first, because it
usually requires root privileges in the process calling PAM.
Best Regards,
Andreas
--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com
> root@dsme01:~# cat /etc/pam.d/bareos
> auth required pam_unix.so
> ## auth required pam_sss.so
> account required pam_unix.so
> account required pam_permit.so
> ...
pam_unix.so will usually require read access to /etc/shadow, you
> auth required pam_unix.so
> ## auth required pam_sss.so
> account required pam_unix.so
> account required pam_permit.so
> ...
mentioned that you added bareos to the "root" group. However, on
Fedora/RHEL this doesn't seem to do a thing and on Debian the required
group is called "shadow" instead.
Long story short: make sure the bareos director can read /etc/shadow or
- if you want LDAP - don't try setting up pam_unix first, because it
usually requires root privileges in the process calling PAM.
Best Regards,
Andreas
--
Andreas Rogge andrea...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221-630693-86
http://www.bareos.com
Reply all
Reply to author
Forward
0 new messages