Hamwan/Services/LDAP

From OCARC
Jump to navigation Jump to search

Services That Support LDAP Authentication

  • OCARC Wiki
  • Proxmox Cluster (mostly)
  • HamWAN Portal

Managing LDAP Accounts

Standard Procedures

  • All usernames should be in CAPITALS
    • Note some services have issues when username capitalization is changed. It is important that they are capitalized from the start
  • All usernames should be a callsign when possible

Creating Users

  1. Creating users accounts inside drupal is the easiest way to create an account that works correctly

Granting Privileges

Authentication Servers

auth-01.pvd.if.hamwan.ca

Client Configuration (Debian)

1. Install the ldap packages

apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap

2. When asked if you want to Allow LDAP admin account to behave like local root? Choose YES When asked Does the LDAP database require login? Choose No Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca

3. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password..

nano /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...

To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.

nano /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_ldap.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session	optional	pam_systemd.so 
# end of pam-auth-update config

/etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Client Configuration (Redhat)

1. Install the ldap packages

yum install  dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap
systemctl enable messagebus
systemctl enable oddjobd
systemctl restart messagebus
systemctl restart oddjobd
systemctl status oddjobd

2. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd

session required pam_oddjob_mkhomedir.so

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Enable pam authconfig

authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update

Test the configuration

getent passwd noshuchuser
getent passwd va7dbi

Radius

auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.

Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms.

Users have full perms to their own device where

(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)

TO-DO

Additional auth options.


ldap to REST api gateway using: https://github.com/rbw/redap/wiki


enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>


ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>

look at 2fa ldap