Hamwan/Services/LDAP: Difference between revisions

From OCARC
Jump to navigation Jump to search
(14 intermediate revisions by the same user not shown)
Line 6: Line 6:
== Managing LDAP Accounts ==
== Managing LDAP Accounts ==


=== Standard Procedures ===
* All usernames should be in CAPITALS
* All usernames should be a callsign when possible
=== Creating Users ===
=== Granting Privileges ===


== Authentication Servers ==
== Authentication Servers ==
Line 15: Line 24:


1. Install the ldap packages
1. Install the ldap packages
apt-get install libnss-ldap
<pre>apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap</pre>
 
2.
When asked if you want to Allow LDAP admin account to behave like local root? Choose YES
When asked Does the LDAP database require login? Choose No
Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca
 
3. Check Configurations
 
Modify nsswitch.conf to use ldap datasource such that it looks like;
<pre>
nano /etc/nsswitch.conf
 
...
passwd:        compat ldap
group:          compat ldap
shadow:        compat ldap
gshadow:        files
...
</pre>


Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok  causes the PAM module to use the earlier provided password when changing the password..
<pre>
nano /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...
</pre>


2. Configure LDAP
To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.
<pre>
nano /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session optional pam_systemd.so
# end of pam-auth-update config
</pre>


/etc/ldap/ldap.conf
/etc/ldap/ldap.conf
Line 41: Line 90:


</pre>
</pre>
== Client Configuration (Redhat) ==
1. Install the ldap packages
<pre>
yum install  dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap
systemctl enable messagebus
systemctl enable oddjobd
systemctl restart messagebus
systemctl restart oddjobd
systemctl status oddjobd
</pre>
2. Check Configurations
Modify nsswitch.conf to use ldap datasource such that it looks like;
<pre>
nano /etc/nsswitch.conf
...
passwd:        compat ldap
group:          compat ldap
shadow:        compat ldap
gshadow:        files
...
</pre>
Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd
<pre>
session required pam_oddjob_mkhomedir.so
</pre>
/etc/openldap/ldap.conf
<pre>
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE    dc=hamwan,dc=ca
URI    ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
</pre>
Enable pam authconfig
<pre>
authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update
</pre>
Test the configuration
<pre>
getent passwd noshuchuser
getent passwd va7dbi
</pre>
==Radius==
auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.
Accounts must be setup on the LDAP server.  Members of the MicroTIK group can login with read perms.  Members of the MicroTIK-full group have full (read write) perms.
Users have full perms to their own device where <pre>(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)</pre>
==TO-DO==
Additional auth options.
ldap to REST api gateway using: https://github.com/rbw/redap/wiki
enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>
ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>
look at 2fa ldap

Revision as of 17:55, 18 January 2020

Services That Support LDAP Authentication

  • OCARC Wiki
  • Proxmox Cluster (mostly)
  • HamWAN Portal

Managing LDAP Accounts

Standard Procedures

  • All usernames should be in CAPITALS
  • All usernames should be a callsign when possible

Creating Users

Granting Privileges

Authentication Servers

auth-01.pvd.if.hamwan.ca

Client Configuration (Debian)

1. Install the ldap packages

apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap

2. When asked if you want to Allow LDAP admin account to behave like local root? Choose YES When asked Does the LDAP database require login? Choose No Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca

3. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password..

nano /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...

To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.

nano /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_ldap.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session	optional	pam_systemd.so 
# end of pam-auth-update config

/etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Client Configuration (Redhat)

1. Install the ldap packages

yum install  dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap
systemctl enable messagebus
systemctl enable oddjobd
systemctl restart messagebus
systemctl restart oddjobd
systemctl status oddjobd

2. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd

session required pam_oddjob_mkhomedir.so

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Enable pam authconfig

authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update

Test the configuration

getent passwd noshuchuser
getent passwd va7dbi

Radius

auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.

Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms.

Users have full perms to their own device where

(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)

TO-DO

Additional auth options.


ldap to REST api gateway using: https://github.com/rbw/redap/wiki


enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>


ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>

look at 2fa ldap