How to LDAP authentication without nss_ldap?

In CentOS 6, they replaced nss_ldap because the PADL nss stuff has memory leaks.

I've read the new and preferred way is with SSSD. http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap...

Can you advise, connecting LDAP with SSSD, or is it not supported with Virtualmin? Can you update the guide, as nss_ldap is no longer supported?

And perhaps a question related to the topic, but are there pros/cons of using LDAP vs Users/Group clustering in Webmin, for manging authenticating users on more than one server? (basically, will the cluster feature be easier than trying to jump through hoops to get LDAP working?)

Status: 
Active

Comments

Virtualmin should work fine with any LDAP client, as long as it makes users in an LDAP database available as Unix users on the Virtualmin system. I hadn't heard about SSSD replacing nss_ldap, but if you switch to that and set it up manually it should still work fine.

In most Virtualmin deployments using LDAP isn't strictly necessary, but can be useful if you have multiple systems and want your mailboxes and domain owners to have access to all of them. I'd recommend this over the "cluster users and groups" module, as the Virtualmin integration is better.

Hi Jamie,

Thanks for the info, and I'll give LDAP a try. On CentOS 6 nss_ldap is dead, but you can use nss-pam-ldapd by Arthur Dejong which uses nslcd and the nss module which is forked from nss_ldap, but the Fedora default now is with sssd.

By no means am I representing this information authoritatively, just me relaying the info from Googling for the packages. There's very little information on how to set this up properly, but I'll give it a try.

I just wanted to add that I started playing around with Virtualmin and I like how it works compared to other CPs, and looking through all the modules and coding made me a big fan. I bought an unlimited Virtualmin license to play around with because I believe in the product and wanted to say thank you for the great support. You haven't disappointed and have addressed every issue I've had.

Thanks, let us know what you find out!

Virtualmin no longer works with LDAP (Webmin I got to work just fine). I posted a support request about Virtualmin specifically not working.

marcusone,

what OS are you using, and what ldap client did you use? I have the LDAP server running on Virtualmin already.

Also, the package for OpenLDAP server on CentOS 6 is slapd. The document referenced at https://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/ is for CentOS 5.

Also on CentOS 5, they used nss_ldap. But on CentOS 6 they dropped nss_ldap. You have the option to either use a hack job/bridge with nss-pam-ldapd, or the Fedora now default way with SSSD. SSSD requires TLS/SSL so you also have to get your certificates in order.

That's where I'm at right now and can advise up to this point.

I have it running just fine in Centos6.5 (default packages, OpenLDAP aka slapd, and sssd). Only thing that doesn't work is Virtualmin (Webmin works fine, ssh logins, Postfix email to users, etc) all working... only creating servers in Virtualmin when set to store users and groups in ldap.

well, heck... you're way ahead of me! lol Thanks for the heads up.

Hello Folks!

I have also tested virtualmin + openldap + sssd in Centos 7. It become extra messy since the have switched to something called systemd.

It works perfect to create users and groups in webmin, but in virtualmin you can not create any domains.

This is what happens:

Creating administration group fretom.com .. .. administration group was created but does not exist! Failed to create virtual server : Critical feature Administration user was not properly created - Virtual server creation halted.

getent group fretom fretom:*:1000:

So sssd think group fretom was created.

getent passwd fretom

ldapsearch does not give anything, the group fretom nor user fretom was added.

Is there any solution to this yet ?

I have a nasty workaround that seems to work, at virtualmin module configuration "Action upon server and user creation":

Command to run before making changes to a server, Command to run after making changes to a server, Command to run before making changes to an alias, Command to run after making changes to an alias

Add at the following command line: rm -fr /var/lib/sss/db/* ; systemctl restart sssd ; getent group ; getent passwd

I don't know if it can break something, but for me it has worked in lab.

Systemd just changes the way services are started at boot time - it shouldn't impact the LDAP setup process.

If Virtualmin is failing to create users properly, try adding a user in the Webmin LDAP Users and Groups module, and see if he is accessible from the shell.

Hello Jamie!

Users added from webmin works 100% from shell, you can login via ssh, ftp and su to them.

However I have to back off the workaround, it worked some times then a new problem arrived :-) So I changed from: rm -fr /var/lib/sss/db/* ; systemctl restart sssd ; getent group ; getent passwd To: systemctl stop sssd ; rm -fr /var/lib/sss/db/* ; systemctl start sssd ; getent group ; getent passwd

I also added the sssd "cache flushing" above (last one) to Ldap Users and Group module in webmin in hope it should help, but no difference.

Observation is that sssd seems not to start again (in both cases), it dies in the middle of creating the domain.

After creating a domain (see below), sssd is stopped, it has problem to start during the creation of the domain:

systemctl status sssd Nov 16 22:48:42 lina.ing-steen.se systemd[1]: Failed to start System Securit.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: Starting System Security Servi.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: sssd.service start request rep.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: Failed to start System Securit.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: Starting System Security Servi.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: sssd.service start request rep.... Nov 16 22:48:42 lina.ing-steen.se systemd[1]: Failed to start System Securit.... Nov 16 22:48:47 lina.ing-steen.se systemd[1]: Starting System Security Servi.... Nov 16 22:48:47 lina.ing-steen.se systemd[1]: sssd.service start request rep.... Nov 16 22:48:47 lina.ing-steen.se systemd[1]: Failed to start System Securit....

Creating a domain from virtualmin results in this: Creating administration group dumperjakob .. .. done Creating administration user dumperjakob .. .. done

Creating aliases for administration user .. .. done

Adding administration user to groups .. .. done

Creating home directory .. .. done

Creating mailbox for administration user .. .. done

Adding new DNS zone .. .. done

Adding to email domains list .. .. done

Adding default mail aliases .. .. done

Adding new virtual website .. .. done

Adding webserver user apache to server's group .. .. done

Performing other Apache configuration .. .. configuration failed : Failed to copy /etc/php.ini to /home/dumperjakob/etc/php5/php.ini : at ../web-lib-funcs.pl line 1397.

Setting up scheduled Webalizer reporting .. .. Webalizer reporting failed! : Failed to open /home/dumperjakob/public_html/stats/.htaccess.webmintmp.9386 : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Setting up log file rotation .. .. done

Creating MySQL login .. .. done

Creating MySQL database dumperjakob .. .. done

Setting up spam filtering .. .. done

Setting up virus filtering .. .. done

Adding DAV directives to website configuration .. .. DAV Login failed! : virtualmin-dav::feature_setup failed : Failed to open /home/dumperjakob/etc/dav.digest.passwd : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Setting up AWstats reporting .. .. AWstats reporting failed! : virtualmin-awstats::feature_setup failed : Failed to open /home/dumperjakob/cgi-bin/awstats.pl.webmintmp.9386 : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Adding Mailman alias and redirects to website configuration .. .. done

Creating Webmin user .. .. done

Re-starting DNS server .. .. done

Applying web server configuration .. .. done

Re-loading Webmin .. .. done

Saving server details .. .. done

Eventually creating the domain not waiting for the "one-liners" long enough for flushing sssd cache, and rushes over them, causing they fail to start properly. I will try to have them only in the LDAP users and group module and see what happens then.

The result of flushing sssd cache only in LDAP User and Group module behaves the same as before:

Nov 16 23:16:49 lina.ing-steen.se systemd[1]: sssd.service start request rep.... Nov 16 23:16:49 lina.ing-steen.se systemd[1]: Failed to start System Securit.... Nov 16 23:16:49 lina.ing-steen.se systemd[1]: Unit sssd.service entered fail....

And it fails:

root@lina ~]# ll /home/ total 4 drwxr-x--- 8 1006 1003 4096 Nov 16 23:16 fretom drwxr-x--- 2 1010 users 59 Nov 16 14:20 test drwxr-x--- 2 1011 users 59 Nov 16 14:22 test2 drwxr-x--- 2 1012 users 79 Nov 16 14:24 test3 drwxr-x--- 2 1013 users 79 Nov 16 14:40 test4 drwxr-x--- 2 500 users 59 Nov 16 14:44 test5 drwxr-x--- 4 1000 users 99 Nov 16 14:58 test6 drwxr-x--- 2 1001 users 59 Nov 16 20:03 test7 drwx------. 2 2001 2000 79 Nov 16 13:45 user1 drwx------. 2 2002 2000 79 Nov 16 13:45 user2

Creating administration group fretom .. .. done Creating administration user fretom .. .. done

Creating aliases for administration user .. .. done

Adding administration user to groups .. .. done

Creating home directory .. .. done

Creating mailbox for administration user .. .. done

Adding new DNS zone .. .. done

Adding to email domains list .. .. done

Adding default mail aliases .. .. done

Adding new virtual website .. .. done

Adding webserver user apache to server's group .. .. done

Performing other Apache configuration .. .. configuration failed : Failed to copy /etc/php.ini to /home/fretom/etc/php5/php.ini : at ../web-lib-funcs.pl line 1397.

Setting up scheduled Webalizer reporting .. .. Webalizer reporting failed! : Failed to open /home/fretom/public_html/stats/.htaccess.webmintmp.10570 : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Setting up log file rotation .. .. done

Creating MySQL login .. .. done

Creating MySQL database fretom .. .. done

Setting up spam filtering .. .. done

Setting up virus filtering .. .. done

Adding DAV directives to website configuration .. .. DAV Login failed! : virtualmin-dav::feature_setup failed : Failed to open /home/fretom/etc/dav.digest.passwd : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Setting up AWstats reporting .. .. done

Setting up password protection for AWstats .. .. AWstats reporting failed! : virtualmin-awstats::feature_setup failed : Failed to open /home/fretom/awstats/.htaccess.webmintmp.10570 : No such file or directory at ../web-lib-funcs.pl line 1397, line 1.

Adding Mailman alias and redirects to website configuration .. .. done

Creating Webmin user .. .. done

Re-starting DNS server .. .. done

Applying web server configuration .. .. done

Re-loading Webmin .. .. done

Saving server details .. .. done

Hello Again!

I am very active, hope you folks don't mind and hope it is of some help in the end of day.

I removed all sssd one-liner flushes and put only in one, in Webmin at "Command to run before making changes"

This on-liner: systemctl stop sssd ; rm -fr /var/lib/sss/db/* ; systemctl start sssd ; getent group ; getent passwd

That seemed to do the trick, I created several domains in sequence, but problem will most likely come back if multiple admins are logged in at same time creating domains and users.

Hello Folks!

All worked fine after last change, intense tests were done, the users could login to the server with ftp, ssh, scp, webmin and usermin.

Also postfix is working as far we could test, thats say ldap dependent Virtual, Aliases and Canonical. Sender address table and user authentication not yet tested. Dovecot backend not yet tested either.

When logged in using usermin, we did not come far: "Failed to bind to LDAP server localhost as : TLS confidentiality required" is visible in the upper left corner, and no emails is visible in list. I suspect it is something regarding postfix or dovecot. Dovecot is most suspected, since it used pop or map for the mail here.

It was working in Centos 6.latest using the classic pam_ldap and nss_ldap stuff without need of doing anything inside dovecot.

Lets see how progress is going. The coming days I will try to track it down. I am not an expert on LDAP and even less this certificate stuff.

Beside that, I made 1 script for fully automatic installation of all needed stuff to get virtualmin and openldap working fully out, for centos 6. That has been working 100% for whole cents 6 lifetime. Centos 7 breaked it. However not fully, skipping sssd also works, but I faced problem with password changes and so on.

Hello again Folks!

We have narrowed down the Usermin login problem where it complains about LDAP and TLS. If disabling the Usermin read mail module "User From addresses" and put Ldap server not used. Then the problem goes away.

But that is not the desired solution, end users should not be able to change their source email address, it must be locked down to what is in mail attribute in LDAP tree for that user.

There seems not to be any TLS ability for this setting, as far I could see at moment.

I tried to disable the requirement on using TLS in OpenLDAP: olcTLSVerifyClient: allow And all other variants inside OpenLDAP without breaking it, unfortunately without success, my OpenLDAP skills is not enough to configure the thing using both clear text authentication and TLS.

I put an support request on the inability to use TLS in that module, lets see what happens.

FYI, I responded on your other support request ticket about TLS.