Difference between revisions of "OpenLDAP/Authentication"

From Secure Computing Wiki
Jump to: navigation, search
(/usr/local/etc/ldap.conf)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
----
 
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 
----
 
=[http://abaviteha.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
 
----
 
=[http://abaviteha.co.cc CLICK HERE]=
 
----
 
</div>
 
 
To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.
 
To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.
  
Line 13: Line 5:
 
First, we need to install the following ports:
 
First, we need to install the following ports:
 
''If you are using OpenLDAP 2.4, run the following command before installing these ports:''
 
''If you are using OpenLDAP 2.4, run the following command before installing these ports:''
&lt;pre>echo "WANT_OPENLDAP_VER=24" >> /etc/make.conf&lt;/pre>
+
<pre>echo "WANT_OPENLDAP_VER=24" >> /etc/make.conf</pre>
 
* security/pam_ldap
 
* security/pam_ldap
 
* security/pam_mkhomedir
 
* security/pam_mkhomedir
Line 22: Line 14:
 
=== /usr/local/etc/ldap.conf ===
 
=== /usr/local/etc/ldap.conf ===
 
A good ldap.conf file to use is as follows:
 
A good ldap.conf file to use is as follows:
&lt;pre>
+
<pre>
 
# LDAP Configuration
 
# LDAP Configuration
 
URI ldap://ldap.example.com ldap://ldap2.example.com
 
URI ldap://ldap.example.com ldap://ldap2.example.com
Line 47: Line 39:
 
nss_base_group ou=group,dc=example,dc=com
 
nss_base_group ou=group,dc=example,dc=com
 
nss_base_netgroup ou=group,dc=example,dc=com
 
nss_base_netgroup ou=group,dc=example,dc=com
&lt;/pre>
+
nss_initgroups_ignoreusers root,ldap
 +
 
 +
</pre>
 
The config above has the following effect:
 
The config above has the following effect:
 
# use ldap server at ldap.example.com
 
# use ldap server at ldap.example.com
Line 61: Line 55:
  
 
=== /usr/local/etc/nss_ldap.conf ===
 
=== /usr/local/etc/nss_ldap.conf ===
&lt;pre>uri ldap://ldap.example.com
+
<pre>uri ldap://ldap.example.com
 
base ou=people,dc=example,dc=com
 
base ou=people,dc=example,dc=com
 
ldap_version 3
 
ldap_version 3
 
ssl start_tls
 
ssl start_tls
 
tls_checkpeer no
 
tls_checkpeer no
tls_ciphers TLSv1&lt;/pre>
+
tls_ciphers TLSv1</pre>
  
 
This config does the same things as above, specific to nss_ldap port.
 
This config does the same things as above, specific to nss_ldap port.
  
 
=== /etc/nsswitch.conf ===
 
=== /etc/nsswitch.conf ===
&lt;pre>## Define lookups for users and groups.
+
<pre>## Define lookups for users and groups.
 
passwd:        files ldap
 
passwd:        files ldap
 
group:          files ldap
 
group:          files ldap
Line 83: Line 77:
 
hosts: files dns
 
hosts: files dns
 
networks: files
 
networks: files
shells: files&lt;/pre>
+
shells: files</pre>
  
 
The part we're most concerned with is the first two non-comment lines.  These tell the system to first look in files (/etc/master.passwd and /etc/group) for uid/gid and authentication, followed by ldap.  The rest of the files is what was there by default.
 
The part we're most concerned with is the first two non-comment lines.  These tell the system to first look in files (/etc/master.passwd and /etc/group) for uid/gid and authentication, followed by ldap.  The rest of the files is what was there by default.
Line 92: Line 86:
 
Edit the /etc/pam.d/sshd file, and add the following lines in their respective places:
 
Edit the /etc/pam.d/sshd file, and add the following lines in their respective places:
  
&lt;pre>auth            sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
+
<pre>auth            sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
 
account        required      /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
 
account        required      /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
session        required      /usr/local/lib/pam_mkhomedir.so&lt;/pre>
+
session        required      /usr/local/lib/pam_mkhomedir.so</pre>
  
 
At this point, (no need to restart SSHd or anything), you should be able to log in via ssh to the newly configured host.  In addition, you should be able to finger and pw to glean information out of LDAP regarding user accounts:
 
At this point, (no need to restart SSHd or anything), you should be able to log in via ssh to the newly configured host.  In addition, you should be able to finger and pw to glean information out of LDAP regarding user accounts:
  
&lt;pre> root@oliver:/etc/pam.d-> finger foobeans
+
<pre> root@oliver:/etc/pam.d-> finger foobeans
 
Login: foobeans                        Name: Eric F Crist
 
Login: foobeans                        Name: Eric F Crist
 
Directory: /home/foobeans              Shell: /bin/csh
 
Directory: /home/foobeans              Shell: /bin/csh
Line 111: Line 105:
 
     Shell: /bin/csh                      Office: x842
 
     Shell: /bin/csh                      Office: x842
 
Work Phone: (411) 555-9000            Home Phone: (411) 555-1234
 
Work Phone: (411) 555-9000            Home Phone: (411) 555-1234
Acc Expire: [None]                    Pwd Expire: [None]&lt;/pre>
+
Acc Expire: [None]                    Pwd Expire: [None]</pre>
  
When you log in for the first time, pam_mkhomedir.so automatically creates the user's home directory.  The last item to verify is that the home directory was created (/usr/home/&lt;username>) and that it's owned by that user/group:
+
When you log in for the first time, pam_mkhomedir.so automatically creates the user's home directory.  The last item to verify is that the home directory was created (/usr/home/<username>) and that it's owned by that user/group:
  
&lt;pre>root@oliver:/etc/pam.d-> ls -lah /usr/home
+
<pre>root@oliver:/etc/pam.d-> ls -lah /usr/home
drwxr-xr-x  2 foobeans  400      512B Apr 23 10:23 foobeans&lt;/pre>
+
drwxr-xr-x  2 foobeans  400      512B Apr 23 10:23 foobeans</pre>
  
 
What you'll notice above is that the foobeans user ID is correctly mapped in LDAP, but I've yet to build the group subtree with user group names.  As such, GID 400 doesn't map to a group name at this time.
 
What you'll notice above is that the foobeans user ID is correctly mapped in LDAP, but I've yet to build the group subtree with user group names.  As such, GID 400 doesn't map to a group name at this time.
Line 122: Line 116:
 
== Locking It Down ==
 
== Locking It Down ==
 
To further lock down your LDAP authentication scheme, I'd recommend you do host-based verification.  This means that, if the user isn't listed as having access to a specific host, they'll be denied with the following error:
 
To further lock down your LDAP authentication scheme, I'd recommend you do host-based verification.  This means that, if the user isn't listed as having access to a specific host, they'll be denied with the following error:
&lt;pre>ecrist@redoct:~$ ssh foobeans@oliver
+
<pre>ecrist@redoct:~$ ssh foobeans@oliver
 
Password:
 
Password:
 
Access denied for this host
 
Access denied for this host
  
Permission denied (publickey,keyboard-interactive).&lt;/pre>
+
Permission denied (publickey,keyboard-interactive).</pre>
  
 
Without this extra protection, ALL ldap users with a PosixAccount will be given shell access to ALL servers on your network using LDAP for authentication.  The method described here lists hosts within a user's LDAP entry for hosts they have access to.  An alternative, not covered here, is to enter hosts, with user entries for each user with access.
 
Without this extra protection, ALL ldap users with a PosixAccount will be given shell access to ALL servers on your network using LDAP for authentication.  The method described here lists hosts within a user's LDAP entry for hosts they have access to.  An alternative, not covered here, is to enter hosts, with user entries for each user with access.
  
 
To get this host verification, we're going to add a custom schema to allow for the host attribute on a posixAccount objectClass.  You can download the new schema [[media:scn.zip|here]].  To use this new schema, unzip and save the scn.schema file to /usr/local/etc/openldap/schema and add the following line to your slapd.conf file:
 
To get this host verification, we're going to add a custom schema to allow for the host attribute on a posixAccount objectClass.  You can download the new schema [[media:scn.zip|here]].  To use this new schema, unzip and save the scn.schema file to /usr/local/etc/openldap/schema and add the following line to your slapd.conf file:
&lt;pre>include /usr/local/etc/openldap/schema/scn.schema&lt;/pre>
+
<pre>include /usr/local/etc/openldap/schema/scn.schema</pre>
  
 
You'll need to restart your slapd daemon for this change to take effect.  Any use that's currently got the posixAccount objectClass will now be allowed to have multiple host attributes.
 
You'll need to restart your slapd daemon for this change to take effect.  Any use that's currently got the posixAccount objectClass will now be allowed to have multiple host attributes.
  
 
Next, add the following line to /usr/local/etc/ldap.conf on all of your client systems:
 
Next, add the following line to /usr/local/etc/ldap.conf on all of your client systems:
&lt;pre>pam_check_host_attr yes&lt;/pre>
+
<pre>pam_check_host_attr yes</pre>
 
No restart of anything needed for this change.
 
No restart of anything needed for this change.
  

Latest revision as of 09:01, 17 May 2011

To use OpenLDAP for authentication on FreeBSD, we're going to need to customize our cosine.schema, and install/configure a few additional ports.

Another working guide at ldap_auth.

First, we need to install the following ports: If you are using OpenLDAP 2.4, run the following command before installing these ports:

echo "WANT_OPENLDAP_VER=24" >> /etc/make.conf
  • security/pam_ldap
  • security/pam_mkhomedir
  • net/nss_ldap

Once the above ports are installed, we need to build our ldap.conf file. What's interesting is that Luke H over at PADL Software, Ltd has done, is made his pam_ldap module configuration compatible with OpenLDAP's configuration. The end result is both pieces of software will use /usr/local/etc/ldap.conf. nss_ldap also follows this pattern.

Config Files

/usr/local/etc/ldap.conf

A good ldap.conf file to use is as follows:

# LDAP Configuration
URI ldap://ldap.example.com ldap://ldap2.example.com
bind_timelimit 1
bind_policy soft
base dc=example,dc=com
ldap_version 3
scope sub
#ssl start_tls
#tls_checkpeer no
#tls_ciphers TLSv1
#TLS_CACERT /usr/local/etc/ca.crt

# We don't want the Unix NAS client to pick it's own encryption, but instead use the server's (SSHA). 
pam_password exop

pam_filter              objectclass=posixAccount
pam_check_host_attr     yes
pam_login_attribute     uid:caseExactMatch:
pam_member_attribute    memberUid


#nss_connect_policy oneshot
nss_base_group ou=group,dc=example,dc=com
nss_base_netgroup ou=group,dc=example,dc=com
nss_initgroups_ignoreusers root,ldap

The config above has the following effect:

  1. use ldap server at ldap.example.com
  2. use dc=example,dc=com for the search base
  3. connects with ldap version 3 only
  4. issues a start_tls command to encrypt the connection
  5. instructs pam_ldap to accept the certificate
  6. set tls_ciphers to TLS version 1
  7. uses the ca certificate found in /usr/local/etc/openldap/ca.crt to verify the server's certificate
  8. gets group names from cn=group,dc=example,dc=com (finger,pw, directory listings, etc)
  9. gets group names from ou=group,dc=example,dc=com
  10. is case-sensitive in uid lookup due to :caseExactMatch: after uid on pam_login_attribute

/usr/local/etc/nss_ldap.conf

uri ldap://ldap.example.com
base ou=people,dc=example,dc=com
ldap_version 3
ssl start_tls
tls_checkpeer no
tls_ciphers TLSv1

This config does the same things as above, specific to nss_ldap port.

/etc/nsswitch.conf

## Define lookups for users and groups.
passwd:         files ldap
group:          files ldap

## Optimize the nss_ldap searches for these databases.
#nss_base_passwd ou=staff,ou=people,dc=claimlynx,dc=com
#nss_base_group ou=staff,ou=people,dc=claimlynx,dc=com


group_compat: nis
hosts: files dns
networks: files
shells: files

The part we're most concerned with is the first two non-comment lines. These tell the system to first look in files (/etc/master.passwd and /etc/group) for uid/gid and authentication, followed by ldap. The rest of the files is what was there by default.

PAM Configuration

The next task is to roll our changes into PAM so that it's using our LDAP installation for authentication. First, we're going to configure sshd:

Edit the /etc/pam.d/sshd file, and add the following lines in their respective places:

auth            sufficient      /usr/local/lib/pam_ldap.so              no_warn try_first_pass
account         required      /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
session         required       /usr/local/lib/pam_mkhomedir.so

At this point, (no need to restart SSHd or anything), you should be able to log in via ssh to the newly configured host. In addition, you should be able to finger and pw to glean information out of LDAP regarding user accounts:

 root@oliver:/etc/pam.d-> finger foobeans
Login: foobeans                         Name: Eric F Crist
Directory: /home/foobeans               Shell: /bin/csh
Office: x842, (411) 555-9000            Home Phone: (411) 555-1234
Last login Wed Apr 23 10:23 (CDT) on ttyp7 from nat.example.com
No Mail.
No Plan.
root@oliver:/etc/pam.d-> pw usershow foobeans -P
Login Name: foobeans          #400          Group: (invalid)         #400
 Full Name: Eric F Crist
      Home: /home/foobeans                  Class:
     Shell: /bin/csh                       Office: x842
Work Phone: (411) 555-9000             Home Phone: (411) 555-1234
Acc Expire: [None]                     Pwd Expire: [None]

When you log in for the first time, pam_mkhomedir.so automatically creates the user's home directory. The last item to verify is that the home directory was created (/usr/home/<username>) and that it's owned by that user/group:

root@oliver:/etc/pam.d-> ls -lah /usr/home
drwxr-xr-x  2 foobeans  400      512B Apr 23 10:23 foobeans

What you'll notice above is that the foobeans user ID is correctly mapped in LDAP, but I've yet to build the group subtree with user group names. As such, GID 400 doesn't map to a group name at this time.

Locking It Down

To further lock down your LDAP authentication scheme, I'd recommend you do host-based verification. This means that, if the user isn't listed as having access to a specific host, they'll be denied with the following error:

ecrist@redoct:~$ ssh foobeans@oliver
Password:
Access denied for this host

Permission denied (publickey,keyboard-interactive).

Without this extra protection, ALL ldap users with a PosixAccount will be given shell access to ALL servers on your network using LDAP for authentication. The method described here lists hosts within a user's LDAP entry for hosts they have access to. An alternative, not covered here, is to enter hosts, with user entries for each user with access.

To get this host verification, we're going to add a custom schema to allow for the host attribute on a posixAccount objectClass. You can download the new schema here. To use this new schema, unzip and save the scn.schema file to /usr/local/etc/openldap/schema and add the following line to your slapd.conf file:

include	/usr/local/etc/openldap/schema/scn.schema

You'll need to restart your slapd daemon for this change to take effect. Any use that's currently got the posixAccount objectClass will now be allowed to have multiple host attributes.

Next, add the following line to /usr/local/etc/ldap.conf on all of your client systems:

pam_check_host_attr yes

No restart of anything needed for this change.

Lastly, we need to make certain the appropriate entry exists in the LDAP directory entry. You should now be able to add a host attribute (multiple host attributes are OK), with the FQDN for each host to give access to. From there you should be able to log into hosts you have access to, and be denied access to hosts that aren't explicitly allowed.

Related Topics