Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
(updated some headings; added templates; other minor formatting updates)
Line 2: Line 2:
 
== Introduction and Concepts ==
 
== Introduction and Concepts ==
  
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [http://solarblue.net/docs/ldap.htm Ldap Server Setup]{{Linkrot|2011|09|04}} which is very well written. Unfortunately Arch Linux has some differences in the way things are setup. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distro specific tools (i.e. authconfig). This guide is written specifically with Arch linux in mind and will try to illustrate both LDAP concepts and implementation from the point of view of someone who has never used LDAP before (i.e. the author).
+
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [http://solarblue.net/docs/ldap.htm LDAP Server Setup]{{Linkrot|2011|09|04}} which is very well written. Unfortunately, Arch Linux has some differences in the way things are set up. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distribution specific tools (i.e. authconfig). This guide is written specifically with Arch Linux in mind and will try to illustrate both LDAP concepts and implementation from the point of view of someone who has never used LDAP before (i.e. the author).
  
 
=== OpenLDAP ===
 
=== OpenLDAP ===
Line 14: Line 14:
 
== Server Setup ==
 
== Server Setup ==
  
=== Install OpenLDAP ===
+
=== Installation ===
  
The OpenLDAP server (slapd) and clients are bundled together in the openldap package.
+
The OpenLDAP server (slapd) and clients are bundled together in the {{pkg|openldap}} package.
  
pacman -S openldap
+
=== Configuration ===
 
+
=== Configure OpenLDAP ===
+
  
 
Generate root password:
 
Generate root password:
Line 100: Line 98:
 
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
 
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
  
Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:
+
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:
  
 
  cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
 
  cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
Line 107: Line 105:
 
  chmod 444 slapdcert.pem
 
  chmod 444 slapdcert.pem
  
Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:
+
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:
  
 
  # Certificate/SSL Section
 
  # Certificate/SSL Section
Line 140: Line 138:
 
=== OpenLDAP ===
 
=== OpenLDAP ===
  
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server:
+
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to {{ic|/etc/openldap/ldap.conf}} or you will not be able connect to the server:
  
 
  TLS_REQCERT allow
 
  TLS_REQCERT allow
Line 147: Line 145:
 
=== NSS_LDAP ===
 
=== NSS_LDAP ===
  
Install the nss_ldap module:
+
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].
  
pacman -S nss_ldap
+
Edit {{ic|/etc/nss_ldap.conf}}:
 
+
Edit /etc/nss_ldap.conf:
+
  
 
  host <SERVER_IP>
 
  host <SERVER_IP>
Line 168: Line 164:
 
  tls_checkpeer no
 
  tls_checkpeer no
  
Edit /etc/nsswitch.conf
+
Edit {{ic|/etc/nsswitch.conf}}:
  
 
  passwd: files ldap
 
  passwd: files ldap
Line 176: Line 172:
 
=== PAM_LDAP ===
 
=== PAM_LDAP ===
  
Install pam_ldap module:
+
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].
 
+
pacman -S pam_ldap
+
  
Edit /etc/pam_ldap.conf:
+
Edit {{ic|/etc/pam_ldap.conf}}:
  
 
  host <SERVER_IP>
 
  host <SERVER_IP>
Line 197: Line 191:
 
  tls_checkpeer no
 
  tls_checkpeer no
  
Edit /etc/pam.d/login:
+
Edit {{ic|/etc/pam.d/login}}:
  
 
  auth            requisite      pam_securetty.so
 
  auth            requisite      pam_securetty.so
Line 213: Line 207:
 
  session        required        pam_unix.so
 
  session        required        pam_unix.so
  
Edit /etc/pam.d/passwd:
+
Edit {{ic|/etc/pam.d/passwd}}:
  
 
  password        sufficient      pam_ldap.so
 
  password        sufficient      pam_ldap.so
 
  password        required        pam_unix.so shadow md5 nullok
 
  password        required        pam_unix.so shadow md5 nullok
  
Edit /etc/pam.d/shadow:
+
Edit {{ic|/etc/pam.d/shadow}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 230: Line 224:
 
  password        required        pam_permit.so
 
  password        required        pam_permit.so
  
edit /etc/pam.d/su:
+
edit {{ic|/etc/pam.d/su}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 240: Line 234:
 
  session        required        pam_unix.so
 
  session        required        pam_unix.so
  
edit /etc/pam.d/sshd:
+
edit {{ic|/etc/pam.d/sshd}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 255: Line 249:
 
  session        required        pam_limits.so
 
  session        required        pam_limits.so
  
edit /etc/pam.d/other:
+
edit {{ic|/etc/pam.d/other}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 267: Line 261:
 
=== Name Service Cache Daemon ===
 
=== Name Service Cache Daemon ===
  
READ THIS FIRST: [[http://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
+
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
  
 
Fix nscd:
 
Fix nscd:

Revision as of 03:59, 21 December 2011

Introduction and Concepts

This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide LDAP Server SetupTemplate:Linkrot which is very well written. Unfortunately, Arch Linux has some differences in the way things are set up. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distribution specific tools (i.e. authconfig). This guide is written specifically with Arch Linux in mind and will try to illustrate both LDAP concepts and implementation from the point of view of someone who has never used LDAP before (i.e. the author).

OpenLDAP

UNDER CONSTRUCTION!

NSS and PAM

UNDER CONSTRUCTION!

Server Setup

Installation

The OpenLDAP server (slapd) and clients are bundled together in the openldap package.

Configuration

Generate root password:

slappasswd -h {SSHA}

Edit /etc/openldap/slapd.conf

At a minimum your slapd.conf file should include these settings:
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args
database    bdb
suffix      "dc=example,dc=org"
rootdn      "cn=Manager,dc=example,dc=org"
rootpw      {SSHA}AAAABBBBCCCCDDDD            #NOTE: paste in the output of the slappasswd command above   
directory   /var/lib/openldap/openldap-data
index       objectClass     eq

Provide a database config:

cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG

Start OpenLDAP:

/etc/rc.d/slapd start

Alternatively:

# rc.d start slapd

Populate LDAP Tree with Base Data

Create a file called base.ldif with the following text:

# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

# Manager, example.org
dn: cn=Manager,dc=example,dc=org
cn: Manager
description: LDAP administrator
roleOccupant: dc=example,dc=org
objectClass: organizationalRole
objectClass: top

# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Add it to your OpenLDAP Tree:

ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'

Configure TLS Encryption

It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. IMPORTANT: OpenLDAP cannot use a certificate that has a password associated to it.

To create a self-signed certificate, type the following:

openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365

You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).

Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. IMPORTANT: slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:

cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
chown ldap slapdkey.pem
chmod 400 slapdkey.pem
chmod 444 slapdcert.pem

Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:

# Certificate/SSL Section
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem

The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. NOTE: HIGH, MEDIUM, and +SSLv2 are all wildcards.

To see which ciphers are supported by your local OpenSSL installation, type the following:

openssl ciphers -v ALL

In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:

SLAPD_SERVICES="ldaps:///"

This will cause OpenLDAP to accept encrypted. IMPORTANT: If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:

TLS_REQCERT allow

Restart the server:

/etc/rc.d/slapd restart

Test that the server is encrypting traffic run the following command:

ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'

Client Setup

OpenLDAP

IMPORTANT: If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you will not be able connect to the server:

TLS_REQCERT allow


NSS_LDAP

Install the nss_ldap module from the official repositories.

Edit /etc/nss_ldap.conf:

host <SERVER_IP>
base dc=example,dc=org
rootbinddn cn=admin,dc=example,dc=org
port 636
pam_login_attribute uid
pam_template_login_attribute uid
nss_base_passwd ou=People,dc=example,dc=org?one
nss_base_shadow ou=People,dc=example,dc=org?one
nss_base_group  ou=Group,dc=example,dc=org?one
ssl start_tls
ssl on

# This is only needed if your using a self-signed certificate.
tls_checkpeer no

Edit /etc/nsswitch.conf:

passwd: files ldap
group: files ldap
shadow: files ldap

PAM_LDAP

Install the pam_ldap module from the official repositories.

Edit /etc/pam_ldap.conf:

host <SERVER_IP>
base dc=example,dc=org
rootbinddn cn=admin,dc=example,dc=org
port 636
pam_login_attribute uid
pam_template_login_attribute uid
nss_base_passwd ou=People,dc=example,dc=org?one
nss_base_shadow ou=People,dc=example,dc=org?one
nss_base_group  ou=Group,dc=example,dc=org?one
ssl start_tls
ssl on

# This is only needed if your using a self-signed certificate.
tls_checkpeer no

Edit /etc/pam.d/login:

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so              
auth            required        pam_env.so
auth            required        pam_unix.so nullok try_first_pass
account         sufficient      pam_ldap.so
account         required        pam_access.so
account         required        pam_unix.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         optional        pam_lastlog.so
session         required        pam_unix.so

Edit /etc/pam.d/passwd:

password        sufficient      pam_ldap.so
password        required        pam_unix.so shadow md5 nullok

Edit /etc/pam.d/shadow:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

edit /etc/pam.d/su:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

edit /etc/pam.d/sshd:

auth            sufficient      pam_ldap.so
auth            required        pam_securetty.so        #Disable remote root
auth            required        pam_unix.so try_first_pass
auth            required        pam_nologin.so
auth            required        pam_env.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix_session.so
session         required        pam_limits.so

edit /etc/pam.d/other:

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix.so

Name Service Cache Daemon

READ THIS FIRST: [NSCD Bugged in Arch Linux]

Fix nscd:

mkdir -p /var/db/nscd/
mkdir -p /var/run/nscd/

Run nscd:

/etc/rc.d/nscd start

Links and Resources

One of the best OpenLDAP clients: [phpLDAPadmin]

Debian OpenLDAP setup: [Using LDAP for single authentication]

How to integrate OpenLDAP for MacOSX, Windows and Linux: [Heterogeneous Network Authentication Introduction]

Troubleshooting

If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:

# chown ldap:ldap /var/lib/openldap/openldap-data/*

to allow slapd write access to its data directory as the user "ldap"