Is there any instruction to setup LDAP auth?

[Jielun Cai]

Hi,

    Description of PAM/LDAP Authentication/Authorization seems like too little detail included, i am still confused by some questions.

1.     Can new irods(3.2) add user to LDAP just by "iadmin mkuser" or administrators have to do that manually via other LDAP clients?
   
2.     Is user in LDAP can directly connect to irods? In other words, if irods can create a user in ICAT and a user-specific collection for a newly logined user(user in LDAP) without human intervention.

    Is there any document demonstrates instructions to setup LDAP authentication? Any help would be greatly appreciated.

Thanks in advance

Jielun Cai

[Wayne Schroeder]

Hello,

In addition to the item in the release notes, we have 3 pages on
irods.org describing PAM: the "PAM/LDAP Authentication/Authorization"
page, the "PAM_Authentication" page, and "PAM_SSL_Setup". There are
links between these. The release notes link to "PAM_Authentication"
which is a good place to start. If you've read all three and still
have unanswered questions, we can update the pages.

Currently, for LDAP users the admin runs 'iadmin mkuser' to create the
user accounts in iRODS. For LDAP, the admin does not need to run
'iadmin moduser password' to set the iRODS password for the user as
the LDAP password is used. The user needs to select PAM as the
authentication method as described in PAM_Authentication.

- Wayne -

On Oct 9, 8:33 pm, Jielun Cai <case3...@gmail.com> wrote:
> Hi,
>
>     Description of PAM/LDAP Authentication/Authorization seems like too
> little detail included, i am still confused by some questions.
>

>    1.     Can new irods(3.2) add user to LDAP just by "iadmin mkuser" or

>    administrators have to do that manually via other LDAP clients?

>    2.     Is user in LDAP can directly connect to irods? In other words, if

[Chris Smith]

I've updated the PAM_Authentication wiki page, as it was not clear
that this step is required.

-- Chris

> --
> "iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
>
> iROD-Chat: http://groups.google.com/group/iROD-Chat

[Jielun Cai]

It seems that I still can`t make LDAP auth work correctly via PAM.
I already set pam=1 and ssl =1 and run make. and set pam ssl according to the instruction.

Problem is i don`t know how to make irods communicate with a remote LDAP server, Is there any other libs/components should be installed?

Is PAM work as a client of LDAP or it can invoke a LDAP client to finish challenges.

I am sorry to bother you so much, BUT it is really not easy to google something that specific.

Any of your reply will be highly appreciated.

[Harri Jäälinoja]

Hi Jielun,

here are some things for making it work on RedHat5:

1. install development package for PAM (I think I needed this for
compiling the PAM support)
yum install pam-devel

2. register irods as a service/application that uses PAM
- see for example
http://debian.securedservers.com/kernel/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-directory.html

- here is my configuration file:
[root@lmu-omero1 ~]# cat /etc/pam.d/irods
auth required pam_warn.so
auth required pam_ldap.so
account required pam_warn.so
account required pam_ldap.so

-adding pam_warn.so is just for debugging, there will be log events in
/var/log/secure.
- specifying pam_ldap.so makes PAM actually use LDAP for iRODS

3. configure LDAP connection for PAM
- this was already set up for me by the IT department, so I didn't have
to do anything
- on my system, the configuration file is /etc/pam_ldap.conf

In addition to this, I followed the instructions in iRODS documentation.

I hope this helps,
Harri

On 15/10/12 10:48, Jielun Cai wrote:
> It seems that I still can`t make LDAP auth work correctly via PAM.
> I already set pam=1 and ssl =1 and run make. and set pam ssl according
> to the instruction.
> Problem is i don`t know how to make irods communicate with a remote LDAP
> server, Is there any other libs/components should be installed?
> Is PAM work as a client of LDAP or it can invoke a LDAP client to finish
> challenges.
>
> I am sorry to bother you so much, BUT it is really not easy to google
> something that specific.
>

> Any of your reply will be highly /appreciated./

>
> On Thursday, October 11, 2012 12:50:55 AM UTC+8, Chris Smith wrote:
>
> I've updated the PAM_Authentication wiki page, as it was not clear
> that this step is required.
>
> -- Chris
>
> On Wed, Oct 10, 2012 at 5:38 AM, Wayne Schroeder <w.sch...@gmail.com
> <javascript:>> wrote:
> > Hello,
> >
> > In addition to the item in the release notes, we have 3 pages on

> > irods.org <http://irods.org> describing PAM: the "PAM/LDAP

> <http://groups.google.com/group/iROD-Chat>

>
> --
> "iRODS: the Integrated Rule-Oriented Data-management System; A community
> driven, open source, data grid software solution" https://www.irods.org
>
> iROD-Chat: http://groups.google.com/group/iROD-Chat

--
__________________________________________________
Harri J��linoja
Light Microscopy Unit
Institute of Biotechnology, University of Helsinki
http://www.biocenter.helsinki.fi/bi/lmu/
+358 9 191 59370 fax +358 9 191 59366

[Schulz]

Hello,

Has anyone got an example of an /etc/pam.d/irods config file for RHEL 6?

Thanks,

Willi

[Chris Smith]

Does the pam library not fall back to the system-auth when the irods
pam config file isn't found (I normally use Debian and variants, so
don't know the default behaviour offhand)? Or are you looking to have
specific configuration for iRODS? You should be able to just copy the
'auth' lines from another working configuration and use those. Only
the authentication part of PAM is used in iRODS.

-- Chris

[Schulz, William]

Thanks, Chris.

I've been testing with PamAuthCheck and tried different permutations of the possible commands, especially with auth. With some I can get an authentication, but they all follow with a segfault.

Poking at one core dump I saw (with debug flag):

$ ./PamAuthCheck userid
**********
nb=10
retval 1=0
retval 2=0
Authenticated
Segmentation fault (core dumped)

Retvals one and two are pam_start and pam_authenticate

$ gdb PamAuthCheck core.14144
...
(gdb) bt
#0 0x000000000089e808 in ?? ()
#1 0x0000003f5a8026cc in ?? () from /lib64/libpam.so.0
#2 0x0000003f5a80318d in pam_end () from /lib64/libpam.so.0
#3 0x0000000000400b7a in main (argc=2, argv=0x7fff0a863c08) at PamAuthCheck.c:107

Where line 107 is trying to end the session:

if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */

[Chris Smith]

I can't reproduce the core dump unfortunately, and my line 107 is one
line below the line you indicate. Did you have to make any changes to
PamAuthCheck.c?

Can you show me what your '/etc/pam.d/irods' file looks like? Mine has
this (CentOS 6):

centos6-build:/etc/pam.d> cat irods
#%PAM-1.0
auth include password-auth
account include password-auth

-- Chris

[Schulz, William]

Thanks, Chris,

Using RHEL 6.3/2.6.32-279.5.2.el6.x86_64, it segfaults with password-auth, too.

#%PAM-1.0
auth include system-auth
account include system-auth
#password include system-auth
#session include system-auth

I didn't mod the source, except for a print line, so it was off by one :)

I'm going to try on a dev CentOS box here as well.

Willi

[Wayne Schroeder]

Hello,

'iadmin mkuser' does not add a user to LDAP, it adds a user to iRODS.
But if the user is in LDAP, the iadmin can create the user in iRODS
via 'iadmin mkuser' which will create the user's home collection and,
on LDAP/PAM enabled iRODS systems, the user will be able to log into
iRODS via LDAP. iRODS is using standard LDAP authentication system
via PAM, so you should refer to other documentation on LDAP.

- Wayne -

On Dec 15, 1:55 pm, dhiraj nerkar <iamrickyb...@gmail.com> wrote:

> On Wednesday, October 10, 2012 9:03:31 AM UTC+5:30, Jielun Cai wrote:
>
> > Hi,
>
> >     Description of PAM/LDAP Authentication/Authorization seems like too
> > little detail included, i am still confused by some questions.
>

> >    1.     Can new irods(3.2) add user to LDAP just by "iadmin mkuser" or

> >    administrators have to do that manually via other LDAP clients?

> >    2.     Is user in LDAP can directly connect to irods? In other words,

[sai balu]

Was the issue with PamAuthCheck seg faulting get resolved?

I am running into this problem when I am using PAM to pam_krb5.so. It works when I do PAM to pam_ldap.so.

[Schulz, William]

Hello Sai,

 

It’s working for me after some slight modifications (or horrible hacking, to be more precise;) to iRODS/server/auth/srcPamAuthCheck.c

 

Glad you brought this back up, so we can get a better solution than mine from the devs and community. I just changed it to always set the handle to null, like so:

 

/*

    if (pam_end(pamh,retval) != PAM_SUCCESS) {  

        pamh = NULL;

        fprintf(stderr, "PamAuthCheck: failed to release authenticator\n");

        exit(5);

    }

*/

 

    pamh = NULL;

 

    if( retval == PAM_SUCCESS ){

        fprintf(stdout, "Success\n");

        fprintf(stdout, "retval was %d\n", retval);

         exit(EXIT_SUCCESS);

    }else{

        fprintf(stdout, "Failed\n");

        fprintf(stdout, "retval was %d\n", retval);

        exit(EXIT_FAILURE);

    }

 

And the def file is like this:

 

#%PAM-1.0

auth            include         system-auth

account         include         system-auth

 

Thanks,

Bill

>b#Dc0wz11

Rtl.j srtkjudgkjsdgjmndsfk.jgjk.cvfgd

[schr...@diceresearch.org]

Hello,

It's difficult to know what would fix this segfault problem and also be correct for all PAM libraries.  We based the PamAuthCheck.c on some examples we found, so it seems reasonable that the pam_end is needed and/or good in at least some situations.  So if we just skip the pam_end and/or just set the pam-handle to null, that might not be the right approach in all cases.  I'm surprised this PAM library is returning a success from the pam_start (if it weren't PamAuthCheck would exit), yet with a returned pamh that is somehow bad.  You might check the pamh pointer value after pam_start and see if it's been modified before the pam_end call.  If that's OK, it might be a bug in this particular PAM library.

 - Wayne -

--

--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat
 

---
You received this message because you are subscribed to the Google Groups "iROD-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Saianand Balu]

Bill,

Thanks. That resolved my problem. Let me know if a better solution comes up and I will use it.

My /etc/pam.d/irods is same as yours.

I am listing, my /etc/pam.d//system-auth below. PamAuthCheck used to segfault only when i use pam_krb5.

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_krb5.so use_first_pass

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_krb5.so use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_krb5.so

session     optional      pam_ldap.so

[Saianand Balu]

All, I spoke too soon. Even after I changed PamAuthCheck.c as per Bill's reply, I am getting segmentation fault for certain users and password  when  the authentication goes to pam_krb5.so. It works for everyone if they use pam_ldap.so.(my system-auth uses ldap auth, kerberos auth and local auth).

Also, the dump file directory gets deleted due to "corruption"...the /var/log/messages is below

Saved core dump of pid 29538 (/export/home/irods_lccc/iRODS/server/bin/PamAuthCheck) to /var/spool/abrt/ccpp-2013-02-18-18:13:07-29538 (1187840 bytes)

Feb 18 18:13:07 fujitsu abrtd: Executable '/export/home/irods_lccc/iRODS/server/bin/PamAuthCheck' doesn't belong to any package

Feb 18 18:13:07 fujitsu abrtd: 'post-create' on '/var/spool/abrt/ccpp-2013-02-18-18:13:07-29538' exited with 1

Feb 18 18:13:07 fujitsu abrtd: Corrupted or bad directory /var/spool/abrt/ccpp-2013-02-18-18:13:07-29538, deleting

--

Any ideas? 

Sai

2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

[Chris Smith]

Are you able to successfully authenticate using pam_krb5.so some other
way (e.g. via a password login in ssh, or by using sudo)? Is this
segfault coming when you run PamAuthCheck from the command-line, or is
this when iRODS is running it? Are there any other kerberos related
messages in the system logs?

Which Linux distribution and version are you using?

-- Chris

> --

> --
> "iRODS: the Integrated Rule-Oriented Data-management System; A community
> driven, open source, data grid software solution" https://www.irods.org
>
> iROD-Chat: http://groups.google.com/group/iROD-Chat
>

[Saianand Balu]

uname -a

Linux fujitsu.bioinf.unc.edu 2.6.32-279.2.1.el6.x86_64 #1 SMP Fri Jul 20 01:55:29 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Yes, users are able to ssh using their kerberos password to the server.

Yes, it  segfaults when PamAuthCheck runs on command line. As of now it segfaults only for the kerberos

authentication. It works if LDAP password or local password is provided.(this server supports 3 types of authentication thro pam - local/unix, ldap and krb5)

/var/log/messages shows the program PamAuthCheck is "core dumping". But the core does not get created due to abrtd stating its is a correct or bad directory.

Here is a snippet from /var/log/messages for one of the failures

kernel: PamAuthCheck.di[14779] general protection ip:352ef3259f sp:7fff58c08028 error:0 in libc-2.12.so[352ee00000+189000]

Feb 19 08:11:21 fujitsu abrt[14783]: Saved core dump of pid 14779 (/tmp/PamAuthCheck.distribution) to /var/spool/abrt/ccpp-2013-02-19-08:11:20-14779 (1040384 bytes)

Feb 19 08:11:21 fujitsu abrtd: Directory 'ccpp-2013-02-19-08:11:20-14779' creation detected

Feb 19 08:11:21 fujitsu abrtd: Executable '/tmp/PamAuthCheck.distribution' doesn't belong to any package

Feb 19 08:11:21 fujitsu abrtd: 'post-create' on '/var/spool/abrt/ccpp-2013-02-19-08:11:20-14779' exited with 1

Feb 19 08:11:21 fujitsu abrtd: Corrupted or bad directory /var/spool/abrt/ccpp-2013-02-19-08:11:20-14779, deleting

[Saianand Balu]

Chris,

If this helps, pamtester available at http://pamtester.sourceforge.net/ works...I have not had a chance to look at the source code yet.

Sai

[Saianand Balu]

ok, If I set my /etc/pam.d/irods to the following it works. Is this a reasonable setting?

auth        required      pam_env.so

auth        sufficient    pam_unix.so

auth        sufficient    pam_krb5.so use_first_pass

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

[Chris Smith]

I think that all the pam_succeed_if line is doing is failing if the
user is not in the passwd file, and the uid is 500 or less (typically
a system account). I don't imagine removing this line would be a
problem assuming your kerberos or ldap user databases don't have any
users with uids 500 or less (or you may be giving an non-system
account user rights to a system account).

I would also check the man pages for the modules you are
changing/removing to see if there are any implications for your
changes (e.g. is it ok to remove 'nullok' from pam_unix.so?).

-- Chris

[Chris Smith]

What distribution are you using? uname -a doesn't give any of that
information. If you let me know the distribution and version, I'll try
to reproduce the error. I've successfully run the pam authentication
on CentOS 6, but I used sssd vs ldap/krb5.

-- Chris

[Saianand Balu]

Chris:

() cat /etc/redhat-release 

CentOS release 6.3 (Final)

() we are not running sssd.

I dont mind running it under sssd. can you send me the relevant configuration?

Sai

[Saianand Balu]

Chris,

It turned out that removing nullok from pam_unix.so for the irods service resolved my problem.

Since I am not changing system-auth, I am hoping nullok will not affect that configuration.

my /etc/pam.d/irods is now as follows and works for kerberos and ldap.

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so 

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_krb5.so use_first_pass

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_krb5.so use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_krb5.so

session     optional      pam_ldap.so

[Chris Smith]

Cool … I'm glad to hear it!

-- Chris