Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
m (Do not use -Sy when installing packages)
(46 intermediate revisions by 19 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]] [[Category:Security (English)]]
+
[[Category:Networking]] [[Category:Security]]
 +
{{Out_of_date|pam_ldap/nss_ldap are deprecated in favor of {{pkg|nss-pam-ldapd}}; {{pkg|pambase}} obsoletes most of the pam section}}
 +
{{Merge|LDAP Authentication}}
 
== Introduction and Concepts ==
 
== Introduction and Concepts ==
  
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]] which is very well written. Unfortunately Arch Linux has some differences in the way things are setup. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distro specific tools (i.e. authconfig). This guide is written specifically with Arch linux in mind and will try to illustrate both LDAP concepts and implementation from the point of view of someone who has never used LDAP before (i.e. the author).
+
This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired).
 +
The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.
  
 
=== OpenLDAP ===
 
=== OpenLDAP ===
  
UNDER CONSTRUCTION!
+
OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data.
 +
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.
 +
 
 +
Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the {{pkg|openldap}} package, so you need to install it regardless of o local or network OpenLDAP install.
  
 
=== NSS and PAM ===
 
=== NSS and PAM ===
  
UNDER CONSTRUCTION!
+
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the passwd database.
 
+
== Server Setup ==
+
 
+
=== Install OpenLDAP ===
+
 
+
pacman -S openldap openldap-clients
+
 
+
=== Configure OpenLDAP ===
+
 
+
Generate root password:
+
 
+
slappasswd -h {SSHA}
+
  
Edit /etc/openldap/slapd.conf
+
PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.
  
: At a minimum your slapd.conf file should include these settings:
+
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}} {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate it's users.
include    /etc/openldap/schema/core.schema
+
include    /etc/openldap/schema/cosine.schema
+
include    /etc/openldap/schema/inetorgperson.schema
+
pidfile    /var/run/slapd.pid
+
argsfile    /var/run/slapd.args
+
database    bdb
+
suffix      "dc=example,dc=org"
+
rootdn      "cn=admin,dc=example,dc=org"
+
rootpw      {SSHA}AAAABBBBCCCCDDDD            #NOTE: paste in the output of the slappasswd command above 
+
directory  /var/lib/openldap/openldap-data
+
index      objectClass    eq
+
  
Provide a database config:
+
== OpenLDAP Setup ==
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
+
  
Start OpenLDAP:
+
=== Installation ===
  
/etc/rc.d/slapd start
+
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
  
 
=== Populate LDAP Tree with Base Data ===
 
=== Populate LDAP Tree with Base Data ===
Line 57: Line 39:
 
  dc: example
 
  dc: example
 
   
 
   
  # admin, example.org
+
  # Manager, example.org
  dn: cn=admin,dc=example,dc=org
+
  dn: cn=Manager,dc=example,dc=org
  cn: admin
+
  cn: Manager
 
  description: LDAP administrator
 
  description: LDAP administrator
 
  roleOccupant: dc=example,dc=org
 
  roleOccupant: dc=example,dc=org
Line 79: Line 61:
 
Add it to your OpenLDAP Tree:
 
Add it to your OpenLDAP Tree:
  
  ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
+
  ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
  
 
Test to make sure the data was imported:
 
Test to make sure the data was imported:
Line 86: Line 68:
  
  
*Note: I had to add "slapd: ALL" to /etc/hosts.allow before running the above command.
+
== Client Setup ==
  
=== Configure TLS Encryption ===
+
[[pacman|Install]] {{Pkg|openldap}} from the [[official repositories]]. This is needed regardless of whether you run openldap on your machine or over the network.
  
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.
+
Next, [[pacman|install]] {{AUR|nss-pam-ldapd}} from the [[Arch User Repository]].
  
To create a ''self-signed'' certificate, type the following:
+
There is the {{pkg|nss_ldap}} and {{pkg|pam_ldap}} from the [[Official Repositories|official repositories]]  
 
+
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
+
 
+
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
+
 
+
Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key.
+
 
+
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
+
chmod 400 slapdkey.pem
+
chmod 444 slapdcert.pem
+
 
+
Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:
+
 
+
# Certificate/SSL Section
+
TLSCipherSuite HIGH:MEDIUM:+SSLv2
+
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
+
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
+
 
+
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards.
+
 
+
To see which ciphers are supported by your local OpenSSL installation, type the following:
+
 
+
openssl ciphers -v ALL
+
 
+
In order to tell OpenLDAP to start using encryption edit /etc/rc.d/slapd and change
+
 
+
stat_busy "Starting OpenLDAP"
+
    [ -z "$PID" ] && /usr/sbin/slapd
+
 
+
to
+
 
+
stat_busy "Starting OpenLDAP"
+
    [ -z "$PID" ] && `/usr/sbin/slapd -h ldaps:///`
+
 
+
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:
+
 
+
TLS_REQCERT allow
+
 
+
Restart the server:
+
 
+
/etc/rc.d/slapd restart
+
 
+
Test that the server is encrypting traffic run the following command:
+
 
+
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'
+
 
+
 
+
== Client Setup ==
+
  
 
=== OpenLDAP ===
 
=== OpenLDAP ===
 +
Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.
  
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server:
+
You can search an LDAP server with the following command:
 +
{{bc|ldapsearch -x -H <URL> -b <BASE>}}
 +
{{Tip| {{ic|-x}} is required in all client commands because SASL authentication probably hasn't been configured.}}
  
TLS_REQCERT allow
+
You can add the URL and BASE settings to {{ic|/etc/openldap/ldap.conf}} in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.
 +
{{Warning| If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server:
 +
{{ic|TLS_REQCERT allow}} }}
  
 +
=== NSS Configuration ===
 +
NSS is a system facility which manages different sources as configuration databases. For example {{ic|/etc/passwd}} is i {{ic|file}}-type source for the {{ic|passwd}} which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.
  
=== NSS_LDAP ===
+
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:
 
+
Install the nss_ldap module:
+
 
+
pacman -S nss_ldap
+
 
+
Edit /etc/nss_ldap.conf:
+
 
+
host <SERVER_IP>
+
base dc=example,dc=org
+
rootbinddn cn=admin,dc=example,dc=org
+
port 636
+
pam_login_attribute uid
+
pam_template_login_attribute uid
+
nss_base_passwdou=People,dc=example,dc=org?one
+
nss_base_shadowou=People,dc=example,dc=org?one
+
nss_base_group  ou=Group,dc=example,dc=org?one
+
ssl start_tls
+
ssl on
+
+
# This is only needed if your using a self-signed certificate.
+
tls_checkpeer no
+
 
+
Edit /etc/nsswitch.conf
+
  
 
  passwd: files ldap
 
  passwd: files ldap
Line 178: Line 96:
 
  shadow: files ldap
 
  shadow: files ldap
  
 +
==== Name Service Cache Daemon ====
 +
NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.
  
=== PAM_LDAP ===
+
{{Important| It is recommended to stop the daemon when troubleshooting because it may mask problems by serving cached queries}}
  
Install pam_ldap module:
+
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
 +
Fix nscd:
  
  pacman -S pam_ldap
+
  mkdir -p /var/db/nscd/
 +
mkdir -p /var/run/nscd/
  
Edit /etc/pam_ldap.conf:
+
Run nscd:
 +
{{bc|systemctl start nscd}}
  
host <SERVER_IP>
+
==== NSLCD ====
base dc=example,dc=org
+
 
rootbinddn cn=admin,dc=example,dc=org
+
=== PAM Configuration ===
port 636
+
pam_login_attribute uid
+
pam_template_login_attribute uid
+
nss_base_passwdou=People,dc=example,dc=org?one
+
nss_base_shadowou=People,dc=example,dc=org?one
+
nss_base_group  ou=Group,dc=example,dc=org?one
+
ssl start_tls
+
ssl on
+
+
# This is only needed if your using a self-signed certificate.
+
tls_checkpeer no
+
  
Edit /etc/pam.d/login:
+
Edit {{ic|/etc/pam.d/login}}:
  
 
  auth            requisite      pam_securetty.so
 
  auth            requisite      pam_securetty.so
Line 218: Line 130:
 
  session        required        pam_unix.so
 
  session        required        pam_unix.so
  
Edit /etc/pam.d/passwd:
+
Edit {{ic|/etc/pam.d/passwd}}:
  
 
  password        sufficient      pam_ldap.so
 
  password        sufficient      pam_ldap.so
 
  password        required        pam_unix.so shadow md5 nullok
 
  password        required        pam_unix.so shadow md5 nullok
  
Edit /etc/pam.d/shadow:
+
Edit {{ic|/etc/pam.d/shadow}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 235: Line 147:
 
  password        required        pam_permit.so
 
  password        required        pam_permit.so
  
edit /etc/pam.d/su:
+
edit {{ic|/etc/pam.d/su}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 245: Line 157:
 
  session        required        pam_unix.so
 
  session        required        pam_unix.so
  
edit /etc/pam.d/sshd:
+
edit {{ic|/etc/pam.d/sshd}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 260: Line 172:
 
  session        required        pam_limits.so
 
  session        required        pam_limits.so
  
edit /etc/pam.d/other:
+
edit {{ic|/etc/pam.d/other}}:
  
 
  auth            sufficient      pam_ldap.so
 
  auth            sufficient      pam_ldap.so
Line 270: Line 182:
 
  session        required        pam_unix.so
 
  session        required        pam_unix.so
  
=== Name Service Cache Daemon ===
+
== Resources ==
 
+
[http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]
READ THIS FIRST: [[http://bbs.archlinux.org/viewtopic.php?t=9401 NSCD Bugged in Arch Linux]]
+
 
+
Fix nscd:
+
 
+
mkdir -p /var/db/nscd/
+
mkdir -p /var/run/nscd/
+
 
+
Run nscd:
+
 
+
/etc/rc.d/nscd start
+
 
+
== Links and Resources ==
+
  
Eliott's (cactus) guide for a RedHat Server: [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]]
+
The PAM and NSS page at the Debian Wiki [http://wiki.debian.org/LDAP/NSS 1] [http://wiki.debian.org/LDAP/PAM 2]
  
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]
+
[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]
  
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]
+
[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]
  
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]
+
[http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]

Revision as of 17:00, 1 April 2013

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: pam_ldap/nss_ldap are deprecated in favor of nss-pam-ldapd; pambase obsoletes most of the pam section (Discuss in Talk:OpenLDAP Authentication#)

Merge-arrows-2.pngThis article or section is a candidate for merging with LDAP Authentication.Merge-arrows-2.png

Notes: please use the second argument of the template to provide more detailed indications. (Discuss in Talk:OpenLDAP Authentication#)

Introduction and Concepts

This is a guide on how to configure an Archlinux installation to authenticate against an OpenLDAP server.The openldap backend can be either local (installed on the same computer) or network (i.e in a lab environment where central authentication is desired). The guide will be divided in two parts. The first part deals with how to setup OpenLDAP locally and the second with how to setup the NSS and PAM modules required for the authentication scheme to work. If you just want to configure Arch to authenticated against an already excisting LDAP server then you can skip to the second part.

OpenLDAP

OpenLDAP is an open-source server implementation of the LDAP protocol. It is mainly used as an authentication backend to various services (the most famous one being Samba, which is used to emulate a domain controller) and basically holds the user data. The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not reading them.

Commands relate to OpenLDAP that begin with ldap (like ldapsearch) are client-side utilities while commands that begin with slap (like slapcat) are server-side. Arch packages both in the openldap package, so you need to install it regardless of o local or network OpenLDAP install.

NSS and PAM

NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, /etc/passwd is a file type source for the passwd database.

PAM (which stands for Pluggable Authentication Module) is a machanism Linux (and most *nixes) uses to extend it's authentication schemes based on different plugins.

So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the passwd shadow and other configuration databases and then configure PAM to use these sources to authenticate it's users.

OpenLDAP Setup

Installation

You can read about installation and basic configuration in the OpenLDAP article. After you have completed that, return here.

Populate LDAP Tree with Base Data

Create a file called base.ldif with the following text:

# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example

# Manager, example.org
dn: cn=Manager,dc=example,dc=org
cn: Manager
description: LDAP administrator
roleOccupant: dc=example,dc=org
objectClass: organizationalRole
objectClass: top

# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

# Group, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit

Add it to your OpenLDAP Tree:

ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif

Test to make sure the data was imported:

ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'


Client Setup

Install openldap from the official repositories. This is needed regardless of whether you run openldap on your machine or over the network.

Next, install nss-pam-ldapdAUR from the Arch User Repository.

There is the nss_ldap and pam_ldap from the official repositories

OpenLDAP

Before you begin setting up PAM and NSS for ldap authentication, you should try to check if the LDAP server is available. You can do this easily with ldapsearch.

You can search an LDAP server with the following command:

ldapsearch -x -H <URL> -b <BASE>
Tip: -x is required in all client commands because SASL authentication probably hasn't been configured.

You can add the URL and BASE settings to /etc/openldap/ldap.conf in order to avoid writing the everytime. All client-side ldap utilities use this file to read some general variables.

Warning: If you created a self-signed certificate above you need to also add the following line or you will not be able connect to the server: TLS_REQCERT allow

NSS Configuration

NSS is a system facility which manages different sources as configuration databases. For example /etc/passwd is i file-type source for the passwd which by default stores the user accounts. nss_ldap is a plugin which allow NSS to see an OpenLDAP server as a source for these databases.

Edit /etc/nsswitch.conf which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the ldap directive to the passwd, group and shadow databases, so be sure your file looks like this:

passwd: files ldap
group: files ldap
shadow: files ldap

Name Service Cache Daemon

NSCD is a daemon that NSS runs that is responsible for caching lookups and queries for network backends.

Template:Important

READ THIS FIRST: [NSCD Bugged in Arch Linux] Fix nscd:

mkdir -p /var/db/nscd/
mkdir -p /var/run/nscd/

Run nscd:

systemctl start nscd

NSLCD

PAM Configuration

Edit /etc/pam.d/login:

auth            requisite       pam_securetty.so
auth            requisite       pam_nologin.so
auth            sufficient      pam_ldap.so              
auth            required        pam_env.so
auth            required        pam_unix.so nullok try_first_pass
account         sufficient      pam_ldap.so
account         required        pam_access.so
account         required        pam_unix.so
session         required        pam_motd.so
session         required        pam_limits.so
session         optional        pam_mail.so dir=/var/spool/mail standard
session         optional        pam_lastlog.so
session         required        pam_unix.so

Edit /etc/pam.d/passwd:

password        sufficient      pam_ldap.so
password        required        pam_unix.so shadow md5 nullok

Edit /etc/pam.d/shadow:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_permit.so

edit /etc/pam.d/su:

auth            sufficient      pam_ldap.so
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so use_first_pass
account         sufficient      pam_ldap.so
account         required        pam_unix.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

edit /etc/pam.d/sshd:

auth            sufficient      pam_ldap.so
auth            required        pam_securetty.so        #Disable remote root
auth            required        pam_unix.so try_first_pass
auth            required        pam_nologin.so
auth            required        pam_env.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
account         required        pam_time.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix_session.so
session         required        pam_limits.so

edit /etc/pam.d/other:

auth            sufficient      pam_ldap.so
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
password        sufficient      pam_ldap.so
password        required        pam_unix.so
session         required        pam_unix.so

Resources

The official page of the nss-pam-ldapd packet

The PAM and NSS page at the Debian Wiki 1 2

Using LDAP for single authentication

Heterogeneous Network Authentication Introduction

Discussion on suse's mailing lists about nss-pam-ldapd