Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP authentication for SSH/console on 2.1

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McGlenn
      last edited by

      Hi

      Has anyone managed to get LDAP authentication working on the CLI (SSH/console)? We've got it working for the WebCfg GUI, but fail to make it work on the CLI. We've also got it working on our linux server estate, so we are familiar with the configuration.

      We've installed the nss-pam-ldapd library, but ldapsearch continues to complain about this:

      /libexec/ld-elf.so.1: /usr/lib/libssl.so.6: unsupported file layout

      We've tried disabling all SSL references in /usr/local/etc/ldap.conf, but the error persists…  :-\

      We've also tried re-installing the openssl libraries, again to no avail.

      Can't find anything on google or this forum on this topic...

      Any pointers would be appreciated!

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        "unsupported file layout" usually means a 32-bit/64-bit mismatch, so if you copied some other library to the firewall, it was from the wrong architecture.

        I haven't heard of anyone getting LDAP to work for SSH logins yet, but I know it works on FreeBSD so it should be possible in theory.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          McGlenn
          last edited by

          We've started all over again and were able to get LDAP CLI authentication working :-)

          We now have it on both the webcfg as well as the CLI, which was getting increasingly needed, as we are getting close to 100 virtual pfsense firewalls and local user accounts were getting unmanageable.

          Some rough notes:

          ###login with ssh & std admin user
          
          1) /etc/nsswitch.conf
          
          group: files ldap
          # group_compat: nis
          hosts: files dns
          networks: files
          passwd: files ldap
          # passwd_compat: nis
          shells: files
          services: files
          # services_compat: nis
          protocols: files
          rpc: files
          
          2)
          pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/net/openldap-client-2.4.26.tbz
          pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/nss-pam-ldapd.tbz
          
          3) /usr/local/etc/nslcd.conf
          
          # The underprivileged user and group used for running the daemon.
          uid nslcd
          gid nslcd
          
          uri ldaps://ldap1.local.domain ldaps://ldap2.local.domain
          ldap_version 3
          base ou=somedepartment,dc=local,dc=domain
          
          bind_timelimit 30
          tls_reqcert allow
          ssl on
          
          4) /etc/pam.d/sshd:
          
          #
          # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.2 2012/11/17 08:24:38 svnexp Exp $
          #
          # PAM configuration for the "sshd" service
          #
          
          # auth
          auth          sufficient    /usr/local/lib/pam_ldap.so  no_warn md5
          auth            sufficient      pam_opie.so             no_warn no_fake_prompts
          auth            requisite       pam_opieaccess.so       no_warn allow_local
          #auth           sufficient      pam_krb5.so             no_warn try_first_pass
          #auth           sufficient      pam_ssh.so              no_warn try_first_pass
          auth            required        pam_unix.so             no_warn try_first_pass
          
          # account
          account         required        pam_nologin.so
          #account        required        pam_krb5.so
          account         required        pam_login_access.so
          account         required        pam_unix.so
          
          # session
          #session        optional        pam_ssh.so
          session         required        pam_permit.so
          
          # password
          #password       sufficient      pam_krb5.so             no_warn try_first_pass
          password        required        pam_unix.so             no_warn try_first_pass
          
          5) /etc/pam.d/system    
          #
          # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $
          #
          # System-wide defaults
          #
          
          # auth
          auth            sufficient      pam_opie.so             no_warn no_fake_prompts
          auth            requisite       pam_opieaccess.so       no_warn allow_local
          #auth           sufficient      pam_krb5.so             no_warn try_first_pass
          #auth           sufficient      pam_ssh.so              no_warn try_first_pass
          auth            sufficient  /usr/local/lib/pam_ldap.so   no_warn try_first_pass md5
          auth            required        pam_unix.so             no_warn try_first_pass nullok
          
          # account
          #account        required        pam_krb5.so
          account         required        pam_login_access.so
           account         required    /usr/local/lib/pam_ldap.so   ignore_unknown_user ignore_authinfo_unavail
          account         required        pam_unix.so
          
          # session
          #session        optional        pam_ssh.so
          session         required        pam_lastlog.so          no_fail
          
          # password
          #password       sufficient      pam_krb5.so             no_warn try_first_pass
          password        required        pam_unix.so             no_warn try_first_pass
          
          6) install sudo package in webgui
          7) install shellcmds in webgui
          
          8) add shellcmd via webgui -> services -> shellcmd:
          nslcd     shellcmd
          
          9) hack the sudo.inc file, because we can not add the sysadmins group manually, because the sudoers file is reset on boot AND we can not add it in webgui, because the sysadmins group isn't allowed:
          
          /usr/local/pkg/sudo.inc
          
          ...
                  foreach ($sudocfg as $sudo_commands) {
                          // (user|group) ALL=(ALL|user spec) ALL|command list
                          list($etype, $ename) = explode(":", $sudo_commands['username']);
                          $user = ($etype == "group") ? "%{$ename}" : $ename;
                          list($rtype, $rname) = explode(":", $sudo_commands['runas']);
                          $runas = ($rtype == "group") ? ":{$rname}" : $rname;
                          $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : "";
                          $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist'];
                          $commands = ($commands == "all") ? "ALL" : $commands;
                          $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}n";
                  }
                  $sudoers .= "%sysadmins ALL=(ALL) ALLn";
                  /* Check validity of the sudoers data created above. */
                  $tmpsudoers = tempnam("/tmp", "sudoers");
          ...
          
          10) let's make su work as non-root user:
          
          /etc/pam.d/su :
          
          #
          # $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $
          #
          # PAM configuration for the "su" service
          #
          
          # auth
          auth            sufficient      pam_rootok.so           no_warn
          auth            sufficient      pam_self.so             no_warn
          
          #auth           requisite       pam_group.so            no_warn group=wheel root_only fail_safe
          auth            include         system
          
          # account
          account         include         system
          
          # session
          session         required        pam_permit.so
          
          11) cp /usr/pbi/sudo-amd64/etc/pam.d/sudo /etc/pam.d
          
          12) /etc/ssh/sshd_config
          
          PermitRootLogin yes
          Compression yes
          ClientAliveInterval 30
          UseDNS no
          X11Forwarding no
          # Login via Key and Password
          PasswordAuthentication yes
          ChallengeResponseAuthentication yes
          PubkeyAuthentication yes
          # override default of no subsystems
          Subsystem       sftp    /usr/libexec/sftp-server
          Protocol 2
          Port 22
          Allowgroups sysadmins
          
          ###login with ssh & ldap user
          sudo su
          
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.