Hamwan/Services/LDAP

From OCARC
< Hamwan/Services
Revision as of 15:20, 19 March 2020 by Va7dbi (talk | contribs) (Client Configuration (Alpine))
Jump to: navigation, search

Services That Support LDAP Authentication

  • OCARC Wiki
  • Proxmox Cluster (mostly)
  • HamWAN Portal

Managing LDAP Accounts

Standard Procedures

  • All usernames should be in CAPITALS
    • Note some services have issues when username capitalization is changed. It is important that they are capitalized from the start
  • All usernames should be a callsign when possible

Creating Users

  1. Creating users accounts inside drupal is the easiest way to create an account that works correctly

Granting Privileges

Authentication Servers

auth-01.pvd.if.hamwan.ca

Client Configuration (Debian 7/8/9)

1. Install the ldap packages

apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap

2. When asked if you want to Allow LDAP admin account to behave like local root? Choose YES When asked Does the LDAP database require login? Choose No Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca

3. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password..

nano /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...

To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.

nano /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_ldap.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session	optional	pam_systemd.so 
# end of pam-auth-update config

/etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Client Configuration (Debian 10)

root@www:~# apt -y install libnss-ldap libpam-ldap ldap-utils sudo-ldap

(1) specify LDAP server's URI

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the URI of the LDAP server to use. This is a string in the   |
| form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also    |
| be used. The port number is optional.                                     |
|                                                                           |
| Note: It is usually a good idea to use an IP address because it reduces   |
| risks of failure in the event name service problems.                      |
|                                                                           |
| LDAP server Uniform Resource Identifier:                                  |
|                                                                           |
| ldap://auth-01.pvd.if.hamwan.ca/______________________________________    |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(2) specify suffix

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the distinguished name of the LDAP search base. Many sites   |
| use the components of their domain names for this purpose. For example,   |
| the domain "example.net" would use "dc=example,dc=net" as the             |
| distinguished name of the search base.                                    |
|                                                                           |
| Distinguished name of the search base:                                    |
|                                                                           |
| dc=hamwan,dc=ca_______________________________________________________    |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(3) specify LDAP version (generally OK to select Version [3])

 +-----------------------| Configuring libnss-ldap |------------------------+
 | Please enter which version of the LDAP protocol should be used by        |
 | ldapns. It is usually a good idea to set this to the highest available   |
 | version.                                                                 |
 |                                                                          |
 | LDAP version to use:                                                     |
 |                                                                          |
 |                                    3                                     |
 |                                    2                                     |
 |                                                                          |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(4) specify LDAP admin account's suffix

 +-----------------------+ Configuring libnss-ldap +------------------------+
 | Please enter the name of the LDAP administrative account.                |
 |                                                                          |
 | This account will be used automatically for database management, so it   |
 | must have the appropriate administrative privileges.                     |
 |                                                                          |
 | LDAP administrative account:                                             |
 |                                                                          |
 | cn=admin,dc=hamwan,dc=ca________________________________________________ |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(5) specify password for LDAP admin account

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the password to use when ldap-auth-config tries to login to  |
| the LDAP directory using the LDAP account for root.                       |
|                                                                           |
| The password will be stored in a separate file /etc/ldap.secret which     |
| will be made readable to root only.                                       |
|                                                                           |
| Entering an empty password will re-use the old password.                  |
|                                                                           |
| LDAP root account password:                                               |
|                                                                           |
| _________________________________________________________________________ |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(6) [OK]

 +-----------------------+ Configuring libnss-ldap +------------------------+
 |                                                                          |
 | nsswitch.conf not managed automatically                                  |
 |                                                                          |
 | For the libnss-ldap package to work, you need to modify your             |
 | /etc/nsswitch.conf to use the "ldap" datasource.  There is an example    |
 | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be   |
 | used as an example for your nsswitch setup, or it can be copied over     |
 | your current setup.                                                      |
 |                                                                          |
 | Also, before removing this package, it is wise to remove the "ldap"      |
 | entries from nsswitch.conf to keep basic services functioning.           |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(7) select the one you like. (this example selects [Yes])

+------------------------+ Configuring libpam-ldap +------------------------+
|                                                                           |
| This option will allow password utilities that use PAM to change local    |
| passwords.                                                                |
|                                                                           |
| The LDAP admin account password will be stored in a separate file which   |
| will be made readable to root only.                                       |
|                                                                           |
| If /etc is mounted by NFS, this option should be disabled.                |
|                                                                           |
| Allow LDAP admin account to behave like local root?                       |
|                                                                           |
|                    <Yes>                       <No>                       |
|                                                                           |
+---------------------------------------------------------------------------+

(8) select the one you like. (this example selects [No])

   +---------------------| Configuring libpam-ldap |----------------------+
   |                                                                      |
   | Choose this option if you are required to login to the database to   |
   | retrieve entries.                                                    |
   |                                                                      |
   | Note: Under a normal setup, this is not needed.                      |
   |                                                                      |
   | Does the LDAP database require login?                                |
   |                                                                      |
   |                   <Yes>                      <No>                    |
   |                                                                      |
   +----------------------------------------------------------------------+

(9) specify LDAP admin account's suffix

 +-----------------------+ Configuring libpam-ldap +------------------------+
 | Please enter the name of the LDAP administrative account.                |
 |                                                                          |
 | This account will be used automatically for database management, so it   |
 | must have the appropriate administrative privileges.                     |
 |                                                                          |
 | LDAP administrative account:                                             |
 |                                                                          |
 | cn=admin,dc=hamwan,dc=ca________________________________________________ |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(10) specify password for LDAP admin account

+------------------------+ Configuring libpam-ldap +------------------------+
| Please enter the password of the administrative account.                  |
|                                                                           |
| The password will be stored in the file /etc/pam_ldap.secret. This will   |
| be made readable to root only, and will allow libpam-ldap to carry out    |
| automatic database management logins.                                     |
|                                                                           |
| If this field is left empty, the previously stored password will be       |
| re-used.                                                                  |
|                                                                           |
| LDAP administrative password:                                             |
|                                                                           |
| ********_________________________________________________________________ |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

root@www:~# vi /etc/nsswitch.conf

  1. line 7: add

passwd: compat systemd ldap group: compat systemd ldap shadow: compat

root@www:~# vi /etc/pam.d/common-password

  1. line 26: change ( remove [use_authtok] )

password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass

root@www:~# vi /etc/pam.d/common-session

  1. add to the end if need (create home directory automatically at initial login)

session optional pam_mkhomedir.so skel=/etc/skel umask=077 root@www:~# reboot

Client Configuration (Redhat)

1. Install the ldap packages

yum install  dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap
systemctl enable messagebus
systemctl enable oddjobd
systemctl restart messagebus
systemctl restart oddjobd
systemctl status oddjobd

2. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd

session required pam_oddjob_mkhomedir.so

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Enable pam authconfig

authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update

Test the configuration

getent passwd noshuchuser
getent passwd va7dbi

Client Configuration (Alpine)

1. Install the ldap packages

apk add openldap-clients nss-pam-ldapd musl-nscd

Step 2: Configuration edit /etc/nslcd.conf The source package includes an annotated template configuration file for the nslcd daemon. Also, a nslcd.conf(5) manual page is available that lists all the options.

At the very least the uri (the location of the LDAP server) option should be set. It is recommended to also set the base option to the LDAP search base of the server. Set the uid and gid options to the created user and group. For other options the defaults should be fine in most set-ups. A minimal configuration would contain:

uri ldap://auth-01.pvd.if.hamwan.ca
base dc=hamwan,dc=ca
uid nslcd
gid nslcd

After making any modifications to /etc/nslcd.conf the nslcd daemon should be (re)started.

/etc/nsswitch.conf Add ldap to at least the passwd, group and shadow maps. Whether you should also change the other maps depends on the information in your LDAP directory. You should include ldap after local lookups.

It is better to use files than compat unless you use the special +/- syntax in /etc/passwd or are also using NIS. Your /etc/nsswitch.conf will contain something like:

passwd:     files ldap
group:      files ldap
shadow:     files ldap

/etc/pam.conf or /etc/pam.d/* To enable logins using both LDAP and local users (e.g. you want to keep root logins) you should edit files under /etc/pam.d (or /etc/pam.conf if your system uses that). Everywhere that pam_unix is called you should also call pam_ldap. A very basic snippet is included below.

auth      sufficient  pam_unix.so
auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
auth      required    pam_deny.so

account   required    pam_unix.so
account   sufficient  pam_ldap.so minimum_uid=1000
account   required    pam_permit.so

session   required    pam_unix.so
session   optional    pam_ldap.so minimum_uid=1000

password  sufficient  pam_unix.so nullok md5 shadow use_authtok
password  sufficient  pam_ldap.so minimum_uid=1000 try_first_pass
password  required    pam_deny.so

There are many different ways to configure PAM and the above is only a suggestion.

Step 3: Test and troubleshoot To ensure that everything is working correctly you can run getent passwd. This should return users from LDAP. As root, getent shadow should also return information from LDAP.

To test authentication log in with an LDAP user. One way to do that is to run su - USER as a normal user (where USER is an LDAP user) or su - nobody -c 'su - USER' as root.

To troubleshoot problems you can run nslcd in debug mode (remember to stop nscd when debugging). Debug mode should return a lot of information about the LDAP queries that are performed and errors that may arise.

  1. /etc/init.d/nscd stop
  2. /etc/init.d/nslcd stop
  3. nslcd -d

Miscellaneous notes For most configurations it is recommended to run nscd (or unscd). This should reduce the load on the LDAP server. However, for debugging it is recommended to stop nscd because it may return cached entries instead of actual data. An alternative to using an LDAP PAM module is to expose the userPassword attribute through LDAP in shadow entries. This is in general a bad idea because: it limits you to the password hashing schemes that are supported by pam_unix the authentication is done on the client instead of on the server and exposes hashed password to the client (and possibly over the network). You may need to set "UsePAM yes" in /etc/ssh/sshd_config for PAM authentication in sshd to work.

Radius

auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.

Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms.

Users have full perms to their own device where

(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)

TO-DO

Additional auth options.


ldap to REST api gateway using: https://github.com/rbw/redap/wiki


enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>


ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>

look at 2fa ldap