Hamwan/Services/LDAP: Difference between revisions
| (14 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
== Managing LDAP Accounts == | == Managing LDAP Accounts == | ||
=== Standard Procedures === | |||
* All usernames should be in CAPITALS | |||
* All usernames should be a callsign when possible | |||
=== Creating Users === | |||
=== Granting Privileges === | |||
== Authentication Servers == | == Authentication Servers == | ||
| Line 15: | Line 24: | ||
1. Install the ldap packages | 1. Install the ldap packages | ||
apt-get install libnss-ldap | <pre>apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap</pre> | ||
2. | |||
When asked if you want to Allow LDAP admin account to behave like local root? Choose YES | |||
When asked Does the LDAP database require login? Choose No | |||
Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca | |||
3. Check Configurations | |||
Modify nsswitch.conf to use ldap datasource such that it looks like; | |||
<pre> | |||
nano /etc/nsswitch.conf | |||
... | |||
passwd: compat ldap | |||
group: compat ldap | |||
shadow: compat ldap | |||
gshadow: files | |||
... | |||
</pre> | |||
Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password.. | |||
<pre> | |||
nano /etc/pam.d/common-password | |||
... | |||
# here are the per-package modules (the "Primary" block) | |||
password [success=2 default=ignore] pam_unix.so obscure sha512 | |||
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass | |||
# here's the fallback if no module succeeds | |||
password requisite pam_deny.so | |||
# prime the stack with a positive return value if there isn't one already; | |||
... | |||
</pre> | |||
To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so. | |||
<pre> | |||
nano /etc/pam.d/common-session | |||
# and here are more per-package modules (the "Additional" block) | |||
session required pam_unix.so | |||
session optional pam_ldap.so | |||
session optional pam_mkhomedir.so skel=/etc/skel umask=077 | |||
session optional pam_systemd.so | |||
# end of pam-auth-update config | |||
</pre> | |||
/etc/ldap/ldap.conf | /etc/ldap/ldap.conf | ||
| Line 41: | Line 90: | ||
</pre> | </pre> | ||
== Client Configuration (Redhat) == | |||
1. Install the ldap packages | |||
<pre> | |||
yum install dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap | |||
systemctl enable messagebus | |||
systemctl enable oddjobd | |||
systemctl restart messagebus | |||
systemctl restart oddjobd | |||
systemctl status oddjobd | |||
</pre> | |||
2. Check Configurations | |||
Modify nsswitch.conf to use ldap datasource such that it looks like; | |||
<pre> | |||
nano /etc/nsswitch.conf | |||
... | |||
passwd: compat ldap | |||
group: compat ldap | |||
shadow: compat ldap | |||
gshadow: files | |||
... | |||
</pre> | |||
Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd | |||
<pre> | |||
session required pam_oddjob_mkhomedir.so | |||
</pre> | |||
/etc/openldap/ldap.conf | |||
<pre> | |||
# | |||
# LDAP Defaults | |||
# | |||
# See ldap.conf(5) for details | |||
# This file should be world readable but not world writable. | |||
BASE dc=hamwan,dc=ca | |||
URI ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99 | |||
#SIZELIMIT 12 | |||
#TIMELIMIT 15 | |||
#DEREF never | |||
# TLS certificates (needed for GnuTLS) | |||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt | |||
</pre> | |||
Enable pam authconfig | |||
<pre> | |||
authconfig --enableforcelegacy --update | |||
authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update | |||
</pre> | |||
Test the configuration | |||
<pre> | |||
getent passwd noshuchuser | |||
getent passwd va7dbi | |||
</pre> | |||
==Radius== | |||
auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network. | |||
Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms. | |||
Users have full perms to their own device where <pre>(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)</pre> | |||
==TO-DO== | |||
Additional auth options. | |||
ldap to REST api gateway using: https://github.com/rbw/redap/wiki | |||
enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a> | |||
ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a> | |||
look at 2fa ldap | |||
Revision as of 17:55, 18 January 2020
Services That Support LDAP Authentication
- OCARC Wiki
- Proxmox Cluster (mostly)
- HamWAN Portal
Managing LDAP Accounts
Standard Procedures
- All usernames should be in CAPITALS
- All usernames should be a callsign when possible
Creating Users
Granting Privileges
Authentication Servers
auth-01.pvd.if.hamwan.ca
Client Configuration (Debian)
1. Install the ldap packages
apt-get install libnss-ldap libpam-ldap ldap-utils sudo-ldap
2. When asked if you want to Allow LDAP admin account to behave like local root? Choose YES When asked Does the LDAP database require login? Choose No Set the LDAP administrative account to: cn=admin,dc=hamwan,dc=ca
3. Check Configurations
Modify nsswitch.conf to use ldap datasource such that it looks like;
nano /etc/nsswitch.conf ... passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files ...
Edit the /etc/pam.d/common-password and remove the use_authtok on the highlighted line below. use_authtok causes the PAM module to use the earlier provided password when changing the password..
nano /etc/pam.d/common-password ... # here are the per-package modules (the "Primary" block) password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; ...
To enable automatic user home directory creation at first login, add the line session optional pam_mkhomedir.so skel=/etc/skel umask=077 to the /etc/pam.d/common-session between the pam_ldap.so and pam_systemd.so.
nano /etc/pam.d/common-session # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 session optional pam_systemd.so # end of pam-auth-update config
/etc/ldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=hamwan,dc=ca URI ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Client Configuration (Redhat)
1. Install the ldap packages
yum install dbus oddjob oddjob-mkhomedir openldap openldap-clients nss_ldap systemctl enable messagebus systemctl enable oddjobd systemctl restart messagebus systemctl restart oddjobd systemctl status oddjobd
2. Check Configurations
Modify nsswitch.conf to use ldap datasource such that it looks like;
nano /etc/nsswitch.conf ... passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files ...
Add the line "session required pam_oddjob_mkhomedir.so" to /etc/pam.d/sshd
session required pam_oddjob_mkhomedir.so
/etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=hamwan,dc=ca URI ldap://auth-01.pvd.if.hamwan.ca ldap://44.135.217.99 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Enable pam authconfig
authconfig --enableforcelegacy --update authconfig --enableldap --enableldapauth --ldapserver="auth-01.pvd.if.hamwan.ca" --ldapbasedn="dc=hamwan,dc=ca" --enablemkhomedir --update
Test the configuration
getent passwd noshuchuser getent passwd va7dbi
Radius
auth-01.pvd.if.hamwan.ca also acts as a Radius server to facilitate central logins for network infrastructure equipment on the network.
Accounts must be setup on the LDAP server. Members of the MicroTIK group can login with read perms. Members of the MicroTIK-full group have full (read write) perms.
Users have full perms to their own device where
(NAS-Identifier ~= /^v[ae][0-9][a-z]{2,3} && NAS-Identifier == User-Name)
TO-DO
Additional auth options.
ldap to REST api gateway using: https://github.com/rbw/redap/wiki
enable pubkey ldap - <a href="https://github.com/jirutka/ssh-ldap-pubkey">https://github.com/jirutka/ssh-ldap-pubkey</a>
ldap RBAC -<a href="https://github.com/apache/directory-fortress-core/tree/master/ldap/schema">https://github.com/apache/directory-fortress-core/tree/master/ldap/schema</a>
look at 2fa ldap