Using Zimbra LDAP for System Auth

[webguyinternet]

Has anybody out there used the Zimbra OpenLDAP service to do System authentication (like using PAM-LDAP, etc)? I have setup and configured FreeRADIUS to use the Zimbra LDAP successfully but have had very little luck in getting the system LDAP services (like NSS-PAM, or the other LDAP system utilities) to work because I keep getting schema errors. Anybody have experience with this? Not really looking for a huge manual on how to do this just wanting to know if somebody has done it and a quick summary of the best way to accomplish it. (without ruining Zimbra preferrably)

[jholder]

Have you had a look at the wiki?

[webguyinternet]

Yeah I have. There is a lot of information regarding Zimbra users and LDAP and using replication LDAP servers but it really doesn't talk about using the Zimbra LDAP for PAM authentication or as a linux system authentication. Specifically I was looking at ldap-nss objects. Has anybody used the Zimbra LDAP server to authenticate system access to a server or FTP.

[tdi]

you would have to change zimbras LDAP structure to auth against it with nss_ldap. I am having another porblem, I did external LDAP authentication n ZIMBRA, the tests succeeds, but the user cannot log in .

[thataaron]

I've also been trying to authenticate against the Zimbra LDAP for Linux system authentication using pam_ldap, but I haven't been able to make it work yet

I'm running Fedora Core 4, so I used the command-line utility "authconfig" to turn on user authentication over LDAP. I set the LDAP server address to test.mydomain.com:389, and left the base dn blank. What authconfig actually seems to be doing is then saving this information into /etc/ldap.conf and /etc/nsswitch.conf, and then restarting nscd. But this doesn't seem to be enough to get user authentication working. Every time I try to ssh in as one of my Zimbra users, sshd leaves an error message line in /var/log/messages like the following:

Oct 29 16:31:32 test sshd[6395]: pam_ldap: error trying to bind as user "uid=joey,ou=people,dc=mydomain,dc=com" (Invalid credentials)

I followed the instructions on this Zimbra wiki page to boost the logging from slapd, and this revealed that pam_ldap is able to bind anonymously, and it's able to search the directory and find the user, but it fails when it tries to bind as the user. Here's what this actually looks like in my slapd log file:

Oct 30 12:29:39 test slapd[4463]: conn=39 op=0 BIND dn="" method=128
Oct 30 12:29:39 test slapd[4463]: conn=39 op=0 RESULT tag=97 err=0 text=
Oct 30 12:29:39 test slapd[4463]: conn=38 fd=12 closed
Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SRCH base="" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joey))"
Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Oct 30 12:29:39 test slapd[4463]: conn=39 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 30 12:29:40 test slapd[4463]: conn=40 fd=12 ACCEPT from IP=172.30.5.203:60701 (IP=172.30.5.203:389)
Oct 30 12:29:40 test slapd[4463]: conn=40 op=0 BIND dn="" method=128
Oct 30 12:29:40 test slapd[4463]: conn=40 op=0 RESULT tag=97 err=0 text=
Oct 30 12:29:40 test slapd[4463]: conn=40 op=1 SRCH base="" scope=2 deref=0 filter="(uid=joey)"
Oct 30 12:29:40 test slapd[4463]: conn=40 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 30 12:29:40 test slapd[4463]: conn=40 op=2 BIND dn="uid=joey,ou=people,dc=mydomain,dc=com" method=128
Oct 30 12:29:40 test slapd[4463]: conn=40 op=2 RESULT tag=97 err=49 text=
Oct 30 12:29:40 test slapd[4463]: conn=40 op=3 BIND dn="" method=128
Oct 30 12:29:40 test slapd[4463]: conn=40 op=3 RESULT tag=97 err=0 text=
Oct 30 12:29:43 test slapd[4463]: conn=40 op=4 UNBIND
Oct 30 12:29:43 test slapd[4463]: conn=40 fd=12 closed

According to my google searches, "tag=97" means it's the result of a bind attempt, and "err=49" means invalid credentials, such as a bad password. I have no idea why it's not working, because other programs, such as Apache, JXplorer, and phpldapadmin, are able to bind just fine with the same username (uid=username,ou=people,dc=mydomain,dc=com) and password just fine.

My only guess is that it may have something to do with password hashing. In the ldap.conf file, Fedora was setting the "pam_password" directive to "crypt", which apparently hashes the password in {crypt} format before sending it to the LDAP directory. However, Zimbra's LDAP is storing the passwords as {SSHA}. I tried changing the line in ldap.conf to "pam_password clear" to make it send the password in cleartext, but this doesn't work either.

On the up side, I was able to successfully add the posixAccount object class to my users easily enough. I think that Linux requires this class to be there in order to retrieve things like uid number, group membership, and home directory. The posixAccount class (and the related posixGroup class) are statted out in the file /opt/zimbra/openldap/etc/openldap/schemas/nis.schema, but they're not active by default. I had to edit the file /opt/zimbra/conf/slapd.conf.in, and add a line to include that schema file. Then I was able to add the class posixAccount to my users, and fill in their uidNumber, gidNumber, homeDirectory, etc. However, it doesn't help me out because I still can't get PAM LDAP to bind to the directory.

Has anybody else made any progress on this? On my production server I'm currently managing users and groups in Fedora Directory Server, and having Zimbra, apache, wildfire, and ssh authenticate against that. But I would like to have everything authenticate against Zimbra's directory server instead, so that users can change their passwords through Zimbra, and so that I can simplify user management.

[thataaron]

I was finally able to get Fedora Core 4 to authenticate against Zimbra's LDAP. The problem was that the permissions in /opt/zimbra/conf/slapd.conf.in blocked access to the newly added posixAccount attributes, for anyone except admin users.

There are two ways to solve this. You could change /etc/ldap.conf so that it connects up as an admin LDAP user who does have access, or you can change /opt/zimbra/conf/slapd.conf.in so that anonymous users (or the user you've set up PAM to bind as) can view the attributes. I decided to change slapd.conf since I already had to edit it to add nis.schema. I added the following:

Code:

access to attrs=uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass
        by * read

I haven't experimented with this thoroughly yet, but this was enough to let my user connect. It may be that you only need to provide access to some of these, possibly just uidNumber, gidNumber, and homeDirectory.

So, now that I can authenticate against the Zimbra LDAP server, I need to see about automating the task of adding posix attributes and posix group memberships for users after I create them.

[mario]

Quote:

Originally Posted by webguyinternet

I have setup and configured FreeRADIUS to use the Zimbra LDAP successfully

Hello, I am trying to configure freeradius to use zimbra LDAP but with no success.
I would like to use zimbra server even as a radius server for a captive portal so user can access internet and/or read mail with the same user and password.

Zimbra version is 4.5.6.

Could you post how you configured freeradius?

Thank you.

Mario

[davidh]

Mario,

I currently have the following configuration to allow FreeRadius to authenticate off Zimbra:

Code:

        ldap {
                server = "zimbra"
                identity = "uid=zimbra,cn=admins,cn=zimbra"
                password = "ZIMBRA_LDAP_PASSWD"
                basedn = "dc=MY,dc=DOMAIN"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                access_attr = "homeDirectory"
        }

Note that there may be a little more, the config file is full of comments, but I believe this is the relevant section.

You also need to ensure that your authorize and authenticate sections both refer to LDAP as well. I can email you my config file if this would be useful.

However I do have a question. With the current Samba and Posix extensions for Zimbra to allow this, it appears as though group membership is stored in the ou=groups,dc=MY,dc=DOMAIN tree, rather than under the ou=people,dc=MY,dc=DOMAIN as I would have expected.

Is there any way to be able to configure Radius to verify whether the uid is a member of a particular group. Given it is in a different hierarchy, this might be difficult?

Cheers,
David