Home / server / Questions / 807826
In Process
FreeSoftwareServers
Asked: 2016-10-08 16:57:39 +0800 CST

Open LDAP authenticates LDAP users as local admin account - Linux - Ubuntu 14

  • 772

So, I thought my LDAP was working perfect, but today I went to log in, and its authenticating me, but its showing i'm the local Admin account, even whoami says so, and I have full root access like local user account does.

Any ideas on what to look for?

This is the output of Logging in as donut, who is NOT a local user, but has logged in before. 

sysadmin@BASICTEMPLATE:~$ whoami
sysadmin
sysadmin@BASICTEMPLATE:~$ pwd
/home/donut

And the output of tail -f /var/log/auth while logging in as donut

Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: Accepted publickey for donut from 192.168.1.210 port 50472 ssh2: RSA 9c:a7:b6:3c:a8:2d:96:21:e8:d2:47:cb:6f:8f:a0:91
Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: pam_unix(sshd:session): session opened for user donut by (uid=0)
Oct  7 21:01:15 BASICTEMPLATE systemd-logind[471]: New session 4 of user sysadmin.

My Client Setup :

Both client and server are Ubuntu Server 14.04

Setup on Client :

sudo su

apt-get update
apt-get install -y libpam-ldap nscd ldap-utils python-pip python-ldap libsasl2-dev python-dev libldap2-dev libssl-dev libnss-ldapd

##INSTALL STEPS###

#NOT LDAPI://, LDAP://
ldap://192.168.1.255

dc=freesoftwareservers,dc=com

{group,pass,shadow} (These options may not all show, manually edit /etc/nsswitch.conf if so)

ldap://192.168.1.255

dc=freesoftwareservers,dc=com

3

YES

NO

cn=admin,dc=freesoftwareservers,dc=com

PASSWORD

sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || {

    cat >> /etc/pam.d/common-session <<EOF
session required    pam_mkhomedir.so skel=/etc/skel umask=0022
EOF
}

sh -c 'echo "tls_reqcert never\nnss_initgroups_ignoreusers ALLLOCAL\nbind_timelimit 3\ntimelimit 3" >> /etc/nslcd.conf'

Edit :

sudo nano /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Enable SSH RSA Key Lookup :

pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart

Restrict to group ServerAdmins :

sudo sh -c 'echo "auth    required    pam_access.so" >> /etc/pam.d/common-auth'
sudo sh -c 'echo "- : ALL EXCEPT root (admin) (wheel) (ServerAdmins): ALL EXCEPT  LOCAL" >> /etc/security/access.conf'

Grant Group ServerAdmins Sudo Access :

 sudo visudo
 # Members of the LDAP group ServerAdmins may run sudo
 %ServerAdmins ALL=(root) ALL

 /etc/init.d/nscd restart
security ldap openldap ubuntu-14.04

0 Answers