Hi everyone!
I've configured several Linux devices (Debian 7/8 and Ubuntu 16.04) to work with the LDAP server in ClearOS. However, while it works using ClearOS 5, with ClearOS 7.2 it does not.
In ClearOS 7.2, I configured LDAP (installing OpenLDAP from the Marketplace) editing the settings and policies in Server - Directory - Directory Server. This part is quite similar to ClearOS 5.
After that, I added some users and groups from System - Accounts - Groups/Users. This is different than ClearOS 5, where LDAP users/groups were added in Directory - Accounts - Users/Groups. ¿Am I doing it propperly? Because I don't really know if these users are LDAP users or just system users, but I can't find any other way to do it. Also, I find quite strange that, in System - Account Manager, where it says "The Account Manager manages the underlying accounts system system, as well as provides an overview of installed plugins and extensions for users and groups.", I can't see nothing... just "No data available in table" in Plugins section and "Windows Networking" in Extensions section, but I can't do nothing. Is it okay?
As for Linux clients, I installed libnss-ldap and libpam-ldap and modified some files such as /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, /etc/nsswith.conf, /etc/pam.d/common-password and /etc/pam.d/common-session.
/etc/ldap/ldap.conf:
/etc/libnss-ldap.conf, commenting line 53:
/etc/nsswitch.conf: (adding "ldap" in passwd, group, shadow)
/etc/pam.d/common-password, adding:
/etc/pam.d/common-session, adding:
So, when I write “getent passwd” I should see both system users and LDAP users. This works great with ClearOS 5, where I can see the full list of users and I can reboot the Linux machine and log in with a LDAP user, creating its home directory and that. However, with ClearOS 7.2, LDAP users are not shown in “passwd”, so it isn’t possible to log in with these users. Ldapsearch displays results in both cases.
I saw the LDAP log and it can be seen that server can see the requests, that manager user and its password are correct, but it suddenly stops the connection (unbind). I thought I was doing something wrong in the client side, but it is quite strange since it works for Debian 7 and 8 and Ubuntu 16.04 with ClearOS 5 but it doesn’t with ClearOS 7.2.
To sum up, ClearOS 7.2 doesn’t provide its LDAP users to the Linux client. Is it maybe a new security measure? Or am I doing something wrong? Did anyone have the same problem? I’ve been several week working on this and I don’t know what to do or how to go on, because I can't find nothing on the Internet. I’d really appreciate your help.
Thanks in advance!
I've configured several Linux devices (Debian 7/8 and Ubuntu 16.04) to work with the LDAP server in ClearOS. However, while it works using ClearOS 5, with ClearOS 7.2 it does not.
In ClearOS 7.2, I configured LDAP (installing OpenLDAP from the Marketplace) editing the settings and policies in Server - Directory - Directory Server. This part is quite similar to ClearOS 5.
After that, I added some users and groups from System - Accounts - Groups/Users. This is different than ClearOS 5, where LDAP users/groups were added in Directory - Accounts - Users/Groups. ¿Am I doing it propperly? Because I don't really know if these users are LDAP users or just system users, but I can't find any other way to do it. Also, I find quite strange that, in System - Account Manager, where it says "The Account Manager manages the underlying accounts system system, as well as provides an overview of installed plugins and extensions for users and groups.", I can't see nothing... just "No data available in table" in Plugins section and "Windows Networking" in Extensions section, but I can't do nothing. Is it okay?
As for Linux clients, I installed libnss-ldap and libpam-ldap and modified some files such as /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, /etc/nsswith.conf, /etc/pam.d/common-password and /etc/pam.d/common-session.
/etc/ldap/ldap.conf:
#
# LDAP Defaults
#
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
/etc/libnss-ldap.conf, commenting line 53:
#rootbinddn cn=manager,cn=internal,dc=example,dc=com
/etc/nsswitch.conf: (adding "ldap" in passwd, group, shadow)
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-password, adding:
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
/etc/pam.d/common-session, adding:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
So, when I write “getent passwd” I should see both system users and LDAP users. This works great with ClearOS 5, where I can see the full list of users and I can reboot the Linux machine and log in with a LDAP user, creating its home directory and that. However, with ClearOS 7.2, LDAP users are not shown in “passwd”, so it isn’t possible to log in with these users. Ldapsearch displays results in both cases.
I saw the LDAP log and it can be seen that server can see the requests, that manager user and its password are correct, but it suddenly stops the connection (unbind). I thought I was doing something wrong in the client side, but it is quite strange since it works for Debian 7 and 8 and Ubuntu 16.04 with ClearOS 5 but it doesn’t with ClearOS 7.2.
To sum up, ClearOS 7.2 doesn’t provide its LDAP users to the Linux client. Is it maybe a new security measure? Or am I doing something wrong? Did anyone have the same problem? I’ve been several week working on this and I don’t know what to do or how to go on, because I can't find nothing on the Internet. I’d really appreciate your help.
Thanks in advance!
Share this post:
Responses (4)
-
Accepted Answer
Have a read of this thread but note the warnings about hard coding IP's and the warning of files getting overwritten, Better would be to configure the other apps to use LDAPS. -
Accepted Answer
Nick Howitt wrote:
What mode is ClearOS running in? Gateway, Standalone, Standalone with firewall?
Are you trying to access ClearOS from the WAN?
Normally, when publish policy is set to anything other than Local Network or All Networks you have to use LDAPS on port 636. If this is not open you will not get access! By default is is open to LAN access for a gateway configuration or standalone without firewall but otherwise you need to open the fireewall to incoming tcp:636.
My ClearOS is running in Standalone mode, publish policy is set as Local Network and I'm trying to access from the local network. Also, I disabled the firewall (in fact, it's said "Your system firewall is currently disabled" in Network - Firewall, from the web interface), but when I saw iptables from console, I could see it isn't disabled actually. Anyway, I deleted all the rules in iptables (iptables -F; that's how I could achieve to see LDAP users in the client side), but my problem goes on. I must say also that I'd like the LDAP server/client to be running with iptables running too, obviously.
But... I think that maybe it isn't about ports. My problem is that I cannot log in in the client but, as I see in the LDAP server log when I try to log in, the server recognise the user, its password, it creates the user's home directory, it logs in but ends the connection suddenly after that. Could be maybe a problem with permissions? What do you think?
If you used to access LDAP through port 389 (so LDAP and not LDAPS, then you will have done a command line hack to achieve that. A similar hack will be needed for 7.x but 7.x uses a systemd for start up so the change is needed in a completely different file. The same comment applied to the firewall as above but for port 389.
Could you tell me what file needs to be changed? And what?
Thanks so much for your help, Nick. -
Accepted Answer
What mode is ClearOS running in? Gateway, Standalone, Standalone with firewall?
Are you trying to access ClearOS from the WAN?
Normally, when publish policy is set to anything other than Local Network or All Networks you have to use LDAPS on port 636. If this is not open you will not get access! By default is is open to LAN access for a gateway configuration or standalone without firewall but otherwise you need to open the fireewall to incoming tcp:636.
If you used to access LDAP through port 389 (so LDAP and not LDAPS, then you will have done a command line hack to achieve that. A similar hack will be needed for 7.x but 7.x uses a systemd for start up so the change is needed in a completely different file. The same comment applied to the firewall as above but for port 389. -
Accepted Answer
Hey! I found out that maybe there could be some problems with iptables and ports 389 and 636 from the server side. I still cannot log in, but at least I can see the ldap users using "getent passwd" in the client. I'll go on trying and also if you find something, I'd really appreciate it.
Thanks!
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »