Hamwan/Services/LDAP

From OCARC
< Hamwan/Services
Revision as of 09:55, 21 March 2020 by Va7dbi (talk | contribs) (desupport alpine)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Services That Support LDAP Authentication

  • OCARC Wiki
  • Proxmox Cluster (mostly)
  • HamWAN Portal

Managing LDAP Accounts

Standard Procedures

  • All usernames should be in CAPITALS
    • Note some services have issues when username capitalization is changed. It is important that they are capitalized from the start
  • All usernames should be a callsign when possible

Creating Users

  1. Creating users accounts inside drupal is the easiest way to create an account that works correctly

Granting Privileges

Authentication Servers

auth-01.pvd.if.hamwan.ca

Client Configuration (Debian 7/8/9)

1. Install the ldap packages

apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap

2. When asked if you want to Allow LDAP admin account to behave like local root? Choose YES When asked Does the LDAP database require login? Choose No Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca

3. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password..

nano /etc/pam.d/common-password
...
# here are the per-package modules (the "Primary" block)
password	[success=2 default=ignore]	pam_unix.so obscure sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
...

To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.

nano /etc/pam.d/common-session
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_ldap.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=077
session	optional	pam_systemd.so 
# end of pam-auth-update config

/etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Client Configuration (Debian 10)

root@www:~# apt -y install libnss-ldap libpam-ldap ldap-utils sudo-ldap

(1) specify LDAP server's URI

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the URI of the LDAP server to use. This is a string in the   |
| form of ldap://<hostname or IP>:<port>/. ldaps:// or ldapi:// can also    |
| be used. The port number is optional.                                     |
|                                                                           |
| Note: It is usually a good idea to use an IP address because it reduces   |
| risks of failure in the event name service problems.                      |
|                                                                           |
| LDAP server Uniform Resource Identifier:                                  |
|                                                                           |
| ldap://auth-01.pvd.if.hamwan.ca/______________________________________    |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(2) specify suffix

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the distinguished name of the LDAP search base. Many sites   |
| use the components of their domain names for this purpose. For example,   |
| the domain "example.net" would use "dc=example,dc=net" as the             |
| distinguished name of the search base.                                    |
|                                                                           |
| Distinguished name of the search base:                                    |
|                                                                           |
| dc=hamwan,dc=ca_______________________________________________________    |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(3) specify LDAP version (generally OK to select Version [3])

 +-----------------------| Configuring libnss-ldap |------------------------+
 | Please enter which version of the LDAP protocol should be used by        |
 | ldapns. It is usually a good idea to set this to the highest available   |
 | version.                                                                 |
 |                                                                          |
 | LDAP version to use:                                                     |
 |                                                                          |
 |                                    3                                     |
 |                                    2                                     |
 |                                                                          |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(4) specify LDAP admin account's suffix

 +-----------------------+ Configuring libnss-ldap +------------------------+
 | Please enter the name of the LDAP administrative account.                |
 |                                                                          |
 | This account will be used automatically for database management, so it   |
 | must have the appropriate administrative privileges.                     |
 |                                                                          |
 | LDAP administrative account:                                             |
 |                                                                          |
 | cn=admin,dc=hamwan,dc=ca________________________________________________ |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(5) specify password for LDAP admin account

+-----------------------| Configuring libnss-ldap |-------------------------+
| Please enter the password to use when ldap-auth-config tries to login to  |
| the LDAP directory using the LDAP account for root.                       |
|                                                                           |
| The password will be stored in a separate file /etc/ldap.secret which     |
| will be made readable to root only.                                       |
|                                                                           |
| Entering an empty password will re-use the old password.                  |
|                                                                           |
| LDAP root account password:                                               |
|                                                                           |
| _________________________________________________________________________ |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

(6) [OK]

 +-----------------------+ Configuring libnss-ldap +------------------------+
 |                                                                          |
 | nsswitch.conf not managed automatically                                  |
 |                                                                          |
 | For the libnss-ldap package to work, you need to modify your             |
 | /etc/nsswitch.conf to use the "ldap" datasource.  There is an example    |
 | file at /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be   |
 | used as an example for your nsswitch setup, or it can be copied over     |
 | your current setup.                                                      |
 |                                                                          |
 | Also, before removing this package, it is wise to remove the "ldap"      |
 | entries from nsswitch.conf to keep basic services functioning.           |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(7) select the one you like. (this example selects [Yes])

+------------------------+ Configuring libpam-ldap +------------------------+
|                                                                           |
| This option will allow password utilities that use PAM to change local    |
| passwords.                                                                |
|                                                                           |
| The LDAP admin account password will be stored in a separate file which   |
| will be made readable to root only.                                       |
|                                                                           |
| If /etc is mounted by NFS, this option should be disabled.                |
|                                                                           |
| Allow LDAP admin account to behave like local root?                       |
|                                                                           |
|                    <Yes>                       <No>                       |
|                                                                           |
+---------------------------------------------------------------------------+

(8) select the one you like. (this example selects [No])

   +---------------------| Configuring libpam-ldap |----------------------+
   |                                                                      |
   | Choose this option if you are required to login to the database to   |
   | retrieve entries.                                                    |
   |                                                                      |
   | Note: Under a normal setup, this is not needed.                      |
   |                                                                      |
   | Does the LDAP database require login?                                |
   |                                                                      |
   |                   <Yes>                      <No>                    |
   |                                                                      |
   +----------------------------------------------------------------------+

(9) specify LDAP admin account's suffix

 +-----------------------+ Configuring libpam-ldap +------------------------+
 | Please enter the name of the LDAP administrative account.                |
 |                                                                          |
 | This account will be used automatically for database management, so it   |
 | must have the appropriate administrative privileges.                     |
 |                                                                          |
 | LDAP administrative account:                                             |
 |                                                                          |
 | cn=admin,dc=hamwan,dc=ca________________________________________________ |
 |                                                                          |
 |                                  <Ok>                                    |
 |                                                                          |
 +--------------------------------------------------------------------------+

(10) specify password for LDAP admin account

+------------------------+ Configuring libpam-ldap +------------------------+
| Please enter the password of the administrative account.                  |
|                                                                           |
| The password will be stored in the file /etc/pam_ldap.secret. This will   |
| be made readable to root only, and will allow libpam-ldap to carry out    |
| automatic database management logins.                                     |
|                                                                           |
| If this field is left empty, the previously stored password will be       |
| re-used.                                                                  |
|                                                                           |
| LDAP administrative password:                                             |
|                                                                           |
| ********_________________________________________________________________ |
|                                                                           |
|                                  <Ok>                                     |
|                                                                           |
+---------------------------------------------------------------------------+

root@www:~# vi /etc/nsswitch.conf

  1. line 7: add

passwd: compat systemd ldap group: compat systemd ldap shadow: compat

root@www:~# vi /etc/pam.d/common-password

  1. line 26: change ( remove [use_authtok] )

password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass

root@www:~# vi /etc/pam.d/common-session

  1. add to the end if need (create home directory automatically at initial login)

session optional pam_mkhomedir.so skel=/etc/skel umask=077 root@www:~# reboot

Client Configuration (Redhat)

1. Install the ldap packages

yum install  dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap
systemctl enable messagebus
systemctl enable oddjobd
systemctl restart messagebus
systemctl restart oddjobd
systemctl status oddjobd

2. Check Configurations

Modify nsswitch.conf to use ldap datasource such that it looks like;

 
nano /etc/nsswitch.conf

...
passwd:         compat	ldap
group:          compat	ldap
shadow:         compat	ldap
gshadow:        files
...

Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd

session required pam_oddjob_mkhomedir.so

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=hamwan,dc=ca
URI     ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Enable pam authconfig

authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update

Test the configuration

getent passwd noshuchuser
getent passwd va7dbi

Radius

auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.

Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms.

Users have full perms to their own device where

(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)

TO-DO

Additional auth options.


ldap to REST api gateway using: https://github.com/rbw/redap/wiki


enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>


ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>

look at 2fa ldap