Requirements
OpenLDAP
pam_ldap
nss_ldap
PADL migrationtools
Introducion
The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.
This way we can use all software, which has ldap support or fallback to PAM ldap module, which will act as a PAM->LDAP gateway.
Configuring OpenLDAP
OpenLDAP consists of slapd and slurpd daemon. This howto covers one LDAP server without a replication, so we will focus only on slapd. I also assume you installed and initialized your openldap installation (depends on system/disribution). If so, let’s go to configuration part.
On my system (Gentoo), openldap’s configuration is stored in /etc/openldap, we are interested in/etc/openldap/slapd.conf file. But first we have to generate a password for LDAP administrator, to put it into the config file:
# slappasswd -h {md5}
The config looks like this:
# vim /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap/openldap
access to attrs=userPassword
by dn="uid=root,ou=People,dc=hackadmin,dc=com" write
by dn="cn=Manager,dc=hackadmin,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=Manager,dc=hackadmin,dc=com" write
by * read
database bdb
suffix "dc=hackadmin,dc=com"
rootdn "cn=Manager,dc=hackadmin,dc=com"
rootpw {MD5}Tk1sMytv5ipjr+Vhcf03JQ==
directory /var/lib/openldap-data
index objectClass eq
Remember to change suffix and paths to your needs.
These are basic options with some basic ACLs needed to change passwrods by user. If you want more functionality, please read the manual about openLDAP. Now when we have a proper config for slapd, we can start the daemon :
# /etc/init.d/ldap start
# chkconfig ldap on
Now we can test if openldap is running and working properly. We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com. When you are asked for password, you should use the one you generated (of course the plain text version of it :
# ldapsearch -D “cn=Manager,dc=hackadmin,dc=com” -W
Migrate/Add data to the directory
Now when we have a running LDAP server, we have to fill it with data, either create or migrate entries. I will show you howto migrate existing entries from regular /etc/passwd, /etc/shadow , /etc/groups
The first step is to configure mogrationtools to your needs. The configuration file on gentoo is located in/usr/share/migrationtools/migrate_common.ph.
Generally you need to change only these:
$DEFAULT_BASE = "dc=hackadmin,dc=com";
$EXTENDED_SCHEMA = 1;
Now you are ready to migrate the data (actually it works even without the export command):
export ETC_SHADOW=/etc/shadow
# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_group.pl /etc/group /tmp/group.ldif
# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
Now we have the data in the format understood by LDAP server. Please open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.
# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/base.ldif
# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/group.ldif
# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/passwd.ldif
# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/hosts.ldif
You can try searching for some data:
# ldapsearch uid=foouser
Client configuration
By client I mean the machine, which connects to LDAP server to get users and authorize. It can be also the machine, the ldap server runs on. In both cases we have to edit three files : /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth
Let’s start woth ldap.conf, the ldap’s client:
BASE dc=hackadmin, dc=com
scope sub
suffix "dc=hackadmin,dc=com"
## when you want to change user's password by root
rootbinddn cn=Manager,dc=hackadmin,dc=com
## there are needed when your ldap dies
timelimit 5
bind_timelimit 5
uri ldap://ldap.hackadmin.com/
pam_password exop
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group ou=Group,dc=cognifide,dc=pl
nss_base_hosts ou=Hosts,dc=cognifide,dc=pl
Now it is time for nsswitch.conf and pam
Add these to nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
And change the system-auth (or hatever you have like login, sshd etc) to :
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
Time to test it. The best tool for it is a good old getent. Pick a user from your system and issue:
# getent passwd | grep foouser
You should get the result twice, if so the nss_ldap works fine. The pam part can be tested by deleting a user from the /etc/passwd and trying to log in through ssh.
Apache mod_auth_ldap
To have LDAP authorization in apache, you have to load mod_auth_ldap module
LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so
Now it is enought to make .htaccess like that:
AuthName "Restricted"
AuthType Basic
AuthLDAPURL ldap://ldap.hackadmin.com:389/ou=People,dc=hackadmin,dc=com?uid
AuthLDAPBindDN "cn=Manager,dc=hackadmin,dc=com"
AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"
require valid-user
Note that this method can be also used for webdav subversion authorization
Administration tools for ldap
There are few tool I recommend using to administrate OpenLDAP server
phpldapadmin - web based tool
ldapvi - vim browsing
PADL migrationtools - migrationtools
IDEALX sambaldap tools - samba ldap tools
rurlwwwdothackadmin.comdot2010slash03slash05slashldap-authentication-in-linuxslash
No comments:
Post a Comment