ldap not working anymore

[himpierre]

Hello Dev.

Thanks for your work but since a few days or weeks ldap logins do not work anymore. I noticed you changed a few things. Did you test the new release with ldap? I just tried to deploy a new instance.

cheers, t.

[stefanandres]

LDAP itself works (e.g. id <username> shows proper results, the ldap search is done when doing a ssh login), but it does not let the user enter.

[mwaeckerlin]

I have a lot of local changes not yet checked in, IMHO the version here should work. I'll check that again.

[mwaeckerlin]

Seems to work for me. Can you reproduce the problem and describe steps to reproduce it, @himpierre or @stefanandres ?

[stefanandres]

Thanks for your quick reply.

We are basically using your image in kubernetes using a standard pod and then those environemnt variables:

    Environment:
      LDAPURI:                  ldaps://domain.tld
      LDAPBASE:                 dc=XXX,dc=de
      LDAPNSS_BASE_PASSWD:      ou=users
      LDAPNSS_BASE_SHADOW:      ou=users
      LDAPNSS_BASE_GROUP:       ou=groups
      LDAPPAM_FILTER:           objectClass=posixAccount
      LDAPPAM_LOGIN_ATTRIBUTE:  uid

This configures the container properly to get id(1) working and before your latest versions, users could also login. Is there any new parameter we'd need to set?

[himpierre]

This request reaches our ldap server:

Oct 24 12:37:09 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 fd=40 ACCEPT from IP=xx.xx.xx.xx:48910 (IP=xx.xx.xx.xx:636)
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 fd=40 TLS established tls_ssf=256 ssf=256
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 op=0 BIND dn="" method=128
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 op=0 RESULT tag=97 err=0 text=
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 op=1 SRCH base="ou=users,dc=domain,dc=de" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=username))"
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Oct 24 12:37:10 blu.slave.ldap.domain.net slapd[19115]: conn=28529200 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

bind dn is missing. maybe that's a problem?

[himpierre]

Found the problem. I just switched UsePAM to yes in sshd-config and now it works again.

[himpierre]

@mwaeckerlin Do you mind switching that on again for your docker image?

[himpierre]

It's already switched on at https://github.com/mwaeckerlin/ssh/blob/master/sshd_config. Interesting.

[mwaeckerlin]

It's already switched on at https://github.com/mwaeckerlin/ssh/blob/master/sshd_config. Interesting.

May I close this ticket, or does it need further investigation? (Same question also to @stefanandres )

[himpierre]

Well i'm not sure. Just spawned another container and UsePAM is still set to "no". Do you have an idea what's causing this?

[mwaeckerlin]

Ok, I'll check that.

[himpierre]

Hello Marc. Are you still working on this? Cheers, Thomas

[mwaeckerlin]

Sorry, I had other topics and forgot to check it… I'll do a local setup to check if everything works as expected. For this, I'll follow my instructions here: https://marc.wäckerlin.ch/computer/setup-openldap-server-in-docker

…

[mwaeckerlin]

BTW, those instructions are quite old, now you would use docker volume to create a volume instead of a volume-container…

But: The instructions still work as expected, so here, I don't see a problem so far.

[mwaeckerlin]

… upps, it seems I messed up the projects, that's not OpenLDAP, but sshd¸sorry, I'll check that too…

[mwaeckerlin]

Adding to the above setup:

docker run -d --name ssh -p 222:22 \
    --link openldap:ldap \
    -e LDAPBINDDN="cn=ssh-bind,ou=People" \
    -e LDAPBINDPW="0HQRGLXQCQEH" \
    -e LDAPBASEUSERDN="ou=People" \
    -e LDAPBASEGROUPDN="ou=group" \
    mwaeckerlin/ssh

Adding in LAM a group system with user ssh-bind and the above password, plus a group users and a user marc to login.

And it fails:

docker logs -f ssh
 * Starting Name Service Cache Daemon nscd
   ...done.
setup ready, starting ssh daemon ...
Server listening on 0.0.0.0 port 22.
Connection closed by 172.21.42.1 port 53978 [preauth]
Invalid user marc from 172.21.42.1 port 54022
Failed password for invalid user marc from 172.21.42.1 port 54022 ssh2
Failed password for invalid user marc from 172.21.42.1 port 54022 ssh2
Failed password for invalid user marc from 172.21.42.1 port 54022 ssh2
Connection closed by invalid user marc 172.21.42.1 port 54022 [preauth]
Invalid user marc from 172.21.42.1 port 54346
Failed password for invalid user marc from 172.21.42.1 port 54346 ssh2
Failed password for invalid user marc from 172.21.42.1 port 54346 ssh2

Ok, problem reproduced…

In the ssh-server image, UsePAM is set to yes, so the problem is somewhere else…

[himpierre]

Thanks for looking into it Marc.

[arulrajnet]

@mwaeckerlin Any update on this?

[Mastermind-U]

I checked it with wireshark, it uses PEM cyphering for no reason, however it sends plain text password on admin user. It transforms password -> \b\n\r\177INCO,

LDAP server should've know pem key, idk how, there is no RFC specs for ldap. I'll try using tls on ldap server side, hope it'll help.

UPD: No, it didn't help at all...