pam_pkcs11 and ldap mapper - get nssdb error

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11 and ldap mapper - get nssdb error

Jan Friedl
Hi all,

I wanted login to my notebook with smartcard.

First time, i have configured the pam with pam_p11 library, witch working fine. ;-)  That mean, that using the local store of key or certificate working fine.

Now I store the use certificate to central ldap database, but I don't know, what is bad in my configuration.  :-(

Base on the "PAM-PKCS11 User Manual", I set in the pam:
auth    sufficient       pam_pkcs11.so debug
auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth    required        pam_sss.so      use_first_pass

Then I configure my /etc/pam_pkcs11/pam_pkcs11.conf

...
use_pkcs11_module = opensc;
pkcs11_module opensc {
                module = /usr/lib64/libokpkcs11.so;
                description = "OpenSC PKCS#11 module";
                slot_description = none;
                ca_dir = "/etc/pam_pkcs11/cacerts";
                crl_dir = "/etc/pam_pkcs11/crls";
                support_threads = false;
                cert_policy = ca;
                token_type = "Smart card";
        }
....
use_mappers = ldap, null;
mapper_search_path = "/usr/lib64/pam_pkcs11";

        mapper ldap {
                debug = true;
                module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
                # hostname of ldap server (use LDAP-URI for more then one)
                ldaphost = ldap.server.cz;
                # Port on ldap server to connect, this is also the default
                #   if no port is given in URI below
                #   if empty, then 389 for TLS and 636 for SSL is used
                ldapport = ;
                # space separted list of LDAP URIs (URIs are used by given order)
                URI = ;
                # Scope of search: 0-2
                #   Default is 1 = "one", meaning the set of records one
                #   level below the basedn.
                #   0 = "base"  means search only the basedn, and
                #   2 = "sub"  means the union of entries at the "base" level
                #   and ? all or "one" level below ??? FIXME
                scope = 0;
                # DN to bind with. Must have read-access for user entries
                # under "base"
                binddn = "cn=test,ou=people,dc=ldap_server,dc=cz";
                # Password for above DN
                passwd = test;
                # Searchbase for user entries
                base = "ou=people,dc=ldap_server,dc=cz";
                # Attribute of user entry which contains the certificate
                attribute = userCertificate;
                # Searchfilter for user entry. Must only let pass user entry
                # for the login user.
                filter = "(&(objectClass=posixAccount)(uid=%s))";
                ssl = off;
                #ssl = tls;
                # SSL specific settings
                # tls_randfile = ...
                tls_cacertfile = /etc/ssl/cacert.pem;
                # tls_cacertdir = ...
                tls_checkpeer = 0;
                #tls_ciphers = ...
                #tls_cert = ...
                #tls_key = ...
        }
............

when I use pkcs11_inspect debug, I get:
DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: security library: bad database.
DEBUG:pkcs11_inspect.c:64: crypto_init() failed:

I don't know, if is my configuration ok.
Have somebody experience with smardcard and ldap? Manual at webpages and google doesn't help me. :-(

My OS - opensuse 11.4 64 bit, pam_pkcs11 - version 0.6.6 installed from repozitory

Best regards
Jan Friedl

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 and ldap mapper - get nssdb error

Ludovic Rousseau
2011/6/10 Jan Friedl <[hidden email]>:
> Hi all,

Hello,

> I wanted login to my notebook with smartcard.
>
> First time, i have configured the pam with pam_p11 library, witch working
> fine. ;-)  That mean, that using the local store of key or certificate
> working fine.
>
> Now I store the use certificate to central ldap database, but I don't know,
> what is bad in my configuration.  :-(
>
> Base on the "PAM-PKCS11 User Manual", I set in the pam:
> auth    sufficient       pam_pkcs11.so debug
> auth    required        pam_env.so
> auth    sufficient      pam_unix2.so
> auth    [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
> auth    required        pam_sss.so      use_first_pass
>
> Then I configure my /etc/pam_pkcs11/pam_pkcs11.conf
>
> ...
> use_pkcs11_module = opensc;
> pkcs11_module opensc {
>                 module = /usr/lib64/libokpkcs11.so;
>                 description = "OpenSC PKCS#11 module";
>                 slot_description = none;
>                 ca_dir = "/etc/pam_pkcs11/cacerts";
>                 crl_dir = "/etc/pam_pkcs11/crls";
>                 support_threads = false;
>                 cert_policy = ca;
>                 token_type = "Smart card";
>         }
> ....
> use_mappers = ldap, null;
> mapper_search_path = "/usr/lib64/pam_pkcs11";
>
>         mapper ldap {
>                 debug = true;
>                 module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
>                 # hostname of ldap server (use LDAP-URI for more then one)
>                 ldaphost = ldap.server.cz;
>                 # Port on ldap server to connect, this is also the default
>                 #   if no port is given in URI below
>                 #   if empty, then 389 for TLS and 636 for SSL is used
>                 ldapport = ;
>                 # space separted list of LDAP URIs (URIs are used by given
> order)
>                 URI = ;
>                 # Scope of search: 0-2
>                 #   Default is 1 = "one", meaning the set of records one
>                 #   level below the basedn.
>                 #   0 = "base"  means search only the basedn, and
>                 #   2 = "sub"  means the union of entries at the "base"
> level
>                 #   and ? all or "one" level below ??? FIXME
>                 scope = 0;
>                 # DN to bind with. Must have read-access for user entries
>                 # under "base"
>                 binddn = "cn=test,ou=people,dc=ldap_server,dc=cz";
>                 # Password for above DN
>                 passwd = test;
>                 # Searchbase for user entries
>                 base = "ou=people,dc=ldap_server,dc=cz";
>                 # Attribute of user entry which contains the certificate
>                 attribute = userCertificate;
>                 # Searchfilter for user entry. Must only let pass user entry
>                 # for the login user.
>                 filter = "(&(objectClass=posixAccount)(uid=%s))";
>                 ssl = off;
>                 #ssl = tls;
>                 # SSL specific settings
>                 # tls_randfile = ...
>                 tls_cacertfile = /etc/ssl/cacert.pem;
>                 # tls_cacertdir = ...
>                 tls_checkpeer = 0;
>                 #tls_ciphers = ...
>                 #tls_cert = ...
>                 #tls_key = ...
>         }
> ............
>
> when I use pkcs11_inspect debug, I get:
> DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
> DEBUG:pkcs11_lib.c:187: Initializing NSS ...
> DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
> DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: security library: bad
> database.
> DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
>
> I don't know, if is my configuration ok.
> Have somebody experience with smardcard and ldap? Manual at webpages and
> google doesn't help me. :-(

You have a problem with NSS, not with LDAP.

I am surprised that using a local certifiate storage works fine. Can
you try again?

> My OS - opensuse 11.4 64 bit, pam_pkcs11 - version 0.6.6 installed from
> repozitory

Installed from _which_ repository?

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 and ldap mapper - get nssdb error

Ludovic Rousseau
2011/6/10 Jan Friedl <[hidden email]>:

> Hello,
>
> On 06/10/2011 01:55 PM, Ludovic Rousseau wrote:
>>
>> 2011/6/10 Jan Friedl<[hidden email]>:
>>>
>>> Hi all,
>>
>> Hello,
>>
>>> I wanted login to my notebook with smartcard.
>>>
>>> First time, i have configured the pam with pam_p11 library, witch working
>>> fine. ;-)  That mean, that using the local store of key or certificate
>>> working fine.
>>>
>>> Now I store the use certificate to central ldap database, but I don't
>>> know,
>>> what is bad in my configuration.  :-(
>>>
>>> Base on the "PAM-PKCS11 User Manual", I set in the pam:
>>> auth    sufficient       pam_pkcs11.so debug
>>> auth    required        pam_env.so
>>> auth    sufficient      pam_unix2.so
>>> auth    [success=1 default=ignore] pam_unix.so nullok_secure
>>> try_first_pass
>>> auth    required        pam_sss.so      use_first_pass
>>>
>>> Then I configure my /etc/pam_pkcs11/pam_pkcs11.conf
>>>
>>> ...
>>> use_pkcs11_module = opensc;
>>> pkcs11_module opensc {
>>>                 module = /usr/lib64/libokpkcs11.so;
>>>                 description = "OpenSC PKCS#11 module";
>>>                 slot_description = none;
>>>                 ca_dir = "/etc/pam_pkcs11/cacerts";
>>>                 crl_dir = "/etc/pam_pkcs11/crls";
>>>                 support_threads = false;
>>>                 cert_policy = ca;
>>>                 token_type = "Smart card";
>>>         }
>>> ....
>>> use_mappers = ldap, null;
>>> mapper_search_path = "/usr/lib64/pam_pkcs11";
>>>
>>>         mapper ldap {
>>>                 debug = true;
>>>                 module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
>>>                 # hostname of ldap server (use LDAP-URI for more then
>>> one)
>>>                 ldaphost = ldap.server.cz;
>>>                 # Port on ldap server to connect, this is also the
>>> default
>>>                 #   if no port is given in URI below
>>>                 #   if empty, then 389 for TLS and 636 for SSL is used
>>>                 ldapport = ;
>>>                 # space separted list of LDAP URIs (URIs are used by
>>> given
>>> order)
>>>                 URI = ;
>>>                 # Scope of search: 0-2
>>>                 #   Default is 1 = "one", meaning the set of records one
>>>                 #   level below the basedn.
>>>                 #   0 = "base"  means search only the basedn, and
>>>                 #   2 = "sub"  means the union of entries at the "base"
>>> level
>>>                 #   and ? all or "one" level below ??? FIXME
>>>                 scope = 0;
>>>                 # DN to bind with. Must have read-access for user entries
>>>                 # under "base"
>>>                 binddn = "cn=test,ou=people,dc=ldap_server,dc=cz";
>>>                 # Password for above DN
>>>                 passwd = test;
>>>                 # Searchbase for user entries
>>>                 base = "ou=people,dc=ldap_server,dc=cz";
>>>                 # Attribute of user entry which contains the certificate
>>>                 attribute = userCertificate;
>>>                 # Searchfilter for user entry. Must only let pass user
>>> entry
>>>                 # for the login user.
>>>                 filter = "(&(objectClass=posixAccount)(uid=%s))";
>>>                 ssl = off;
>>>                 #ssl = tls;
>>>                 # SSL specific settings
>>>                 # tls_randfile = ...
>>>                 tls_cacertfile = /etc/ssl/cacert.pem;
>>>                 # tls_cacertdir = ...
>>>                 tls_checkpeer = 0;
>>>                 #tls_ciphers = ...
>>>                 #tls_cert = ...
>>>                 #tls_key = ...
>>>         }
>>> ............
>>>
>>> when I use pkcs11_inspect debug, I get:
>>> DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
>>> DEBUG:pkcs11_lib.c:187: Initializing NSS ...
>>> DEBUG:pkcs11_lib.c:197: Initializing NSS ...
>>> database=/etc/pam_pkcs11/nssdb
>>> DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: security library: bad
>>> database.
>>> DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
>>>
>>> I don't know, if is my configuration ok.
>>> Have somebody experience with smardcard and ldap? Manual at webpages and
>>> google doesn't help me. :-(
>>
>> You have a problem with NSS, not with LDAP.
>>
>> I am surprised that using a local certifiate storage works fine. Can
>> you try again?
>
> I don't know, why try using NSS. He is undefined and I don't know, why / how
> define it. :-/

NSS is selected at build time. You can't change it from the configuration file.

> I get the same error.

So you get the same error if you use a local certificate repository. Exact?

In your first mail you wrote:
" First time, i have configured the pam with pam_p11 library, witch
working fine. ;-)  That mean, that using the local store of key or
certificate working fine. "

Can you still get this configuration to work?

I think your problem has nothing to do with LDAP.

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 and ldap mapper - get nssdb error

Jan Friedl
Hello,

I don’t know, if you get the weekend emails from my mobile phone.

Now I check the configuration, one more time, but I don't found some
mistake.


On 06/10/2011 03:05 PM, Ludovic Rousseau wrote:

> 2011/6/10 Jan Friedl<[hidden email]>:
>> Hello,
>>
>> On 06/10/2011 01:55 PM, Ludovic Rousseau wrote:
>>> 2011/6/10 Jan Friedl<[hidden email]>:
>>>> Hi all,
>>> Hello,
>>>
>>>> I wanted login to my notebook with smartcard.
>>>>
>>>> First time, i have configured the pam with pam_p11 library, witch working
>>>> fine. ;-)  That mean, that using the local store of key or certificate
>>>> working fine.
>>>>
>>>> Now I store the use certificate to central ldap database, but I don't
>>>> know,
>>>> what is bad in my configuration.  :-(
>>>>
>>>> Base on the "PAM-PKCS11 User Manual", I set in the pam:
>>>> auth    sufficient       pam_pkcs11.so debug
>>>> auth    required        pam_env.so
>>>> auth    sufficient      pam_unix2.so
>>>> auth    [success=1 default=ignore] pam_unix.so nullok_secure
>>>> try_first_pass
>>>> auth    required        pam_sss.so      use_first_pass
>>>>
>>>> Then I configure my /etc/pam_pkcs11/pam_pkcs11.conf
>>>>
>>>> ...
>>>> use_pkcs11_module = opensc;
>>>> pkcs11_module opensc {
>>>>                  module = /usr/lib64/libokpkcs11.so;
>>>>                  description = "OpenSC PKCS#11 module";
>>>>                  slot_description = none;
>>>>                  ca_dir = "/etc/pam_pkcs11/cacerts";
>>>>                  crl_dir = "/etc/pam_pkcs11/crls";
>>>>                  support_threads = false;
>>>>                  cert_policy = ca;
>>>>                  token_type = "Smart card";
>>>>          }
>>>> ....
>>>> use_mappers = ldap, null;
>>>> mapper_search_path = "/usr/lib64/pam_pkcs11";
>>>>
>>>>          mapper ldap {
>>>>                  debug = true;
>>>>                  module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
>>>>                  # hostname of ldap server (use LDAP-URI for more then
>>>> one)
>>>>                  ldaphost = ldap.server.cz;
>>>>                  # Port on ldap server to connect, this is also the
>>>> default
>>>>                  #   if no port is given in URI below
>>>>                  #   if empty, then 389 for TLS and 636 for SSL is used
>>>>                  ldapport = ;
>>>>                  # space separted list of LDAP URIs (URIs are used by
>>>> given
>>>> order)
>>>>                  URI = ;
>>>>                  # Scope of search: 0-2
>>>>                  #   Default is 1 = "one", meaning the set of records one
>>>>                  #   level below the basedn.
>>>>                  #   0 = "base"  means search only the basedn, and
>>>>                  #   2 = "sub"  means the union of entries at the "base"
>>>> level
>>>>                  #   and ? all or "one" level below ??? FIXME
>>>>                  scope = 0;
>>>>                  # DN to bind with. Must have read-access for user entries
>>>>                  # under "base"
>>>>                  binddn = "cn=test,ou=people,dc=ldap_server,dc=cz";
>>>>                  # Password for above DN
>>>>                  passwd = test;
>>>>                  # Searchbase for user entries
>>>>                  base = "ou=people,dc=ldap_server,dc=cz";
>>>>                  # Attribute of user entry which contains the certificate
>>>>                  attribute = userCertificate;
>>>>                  # Searchfilter for user entry. Must only let pass user
>>>> entry
>>>>                  # for the login user.
>>>>                  filter = "(&(objectClass=posixAccount)(uid=%s))";
>>>>                  ssl = off;
>>>>                  #ssl = tls;
>>>>                  # SSL specific settings
>>>>                  # tls_randfile = ...
>>>>                  tls_cacertfile = /etc/ssl/cacert.pem;
>>>>                  # tls_cacertdir = ...
>>>>                  tls_checkpeer = 0;
>>>>                  #tls_ciphers = ...
>>>>                  #tls_cert = ...
>>>>                  #tls_key = ...
>>>>          }
>>>> ............
>>>>
>>>> when I use pkcs11_inspect debug, I get:
>>>> DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
>>>> DEBUG:pkcs11_lib.c:187: Initializing NSS ...
>>>> DEBUG:pkcs11_lib.c:197: Initializing NSS ...
>>>> database=/etc/pam_pkcs11/nssdb
>>>> DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: security library: bad
>>>> database.
>>>> DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
>>>>
>>>> I don't know, if is my configuration ok.
>>>> Have somebody experience with smardcard and ldap? Manual at webpages and
>>>> google doesn't help me. :-(
>>> You have a problem with NSS, not with LDAP.
>>>
>>> I am surprised that using a local certifiate storage works fine. Can
>>> you try again?
>> I don't know, why try using NSS. He is undefined and I don't know, why / how
>> define it. :-/
> NSS is selected at build time. You can't change it from the configuration file.
>
Ok, what must be set in pam_pkcs11.conf file?

The file concain only: "nss_dir=/etc/pam_pkcs11"

This is the list of directory /etc/pam_pkcs11:

cacerts/c4dec320.0 -> server_ca
cacerts/server_ca
card_eventmgr.conf
crls/c4dec320.r0 -> crl.pem
crls/crl.pem
pam_pkcs11.conf
pkcs11_eventmgr.conf

>> I get the same error.
> So you get the same error if you use a local certificate repository. Exact?
>
> In your first mail you wrote:
> " First time, i have configured the pam with pam_p11 library, witch
> working fine. ;-)  That mean, that using the local store of key or
> certificate working fine. "
>
> Can you still get this configuration to work?
>
Yes, I can use still that configuration.
> I think your problem has nothing to do with LDAP.
>
> Bye
>
Bye
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user