Difference between revisions of "OpenLDAP Authentication"

From ArchWiki
Jump to: navigation, search
m (Remove redundant troubleshooting section. Belongs in OpenLDAP now)
(38 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]] [[Category:Security (English)]]
+
#REDIRECT [[LDAP Authentication]]
{{Merge|LDAP Authentication}}
+
== Introduction and Concepts ==
+
 
+
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [http://solarblue.net/docs/ldap.htm LDAP Server Setup]{{Linkrot|2011|09|04}} which is very well written. Unfortunately, Arch Linux has some differences in the way things are set up. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distribution specific tools (i.e. authconfig). This guide is written specifically with Arch Linux in mind and will try to illustrate both LDAP concepts and implementation from the point of view of someone who has never used LDAP before (i.e. the author).
+
 
+
=== OpenLDAP ===
+
 
+
UNDER CONSTRUCTION!
+
 
+
=== NSS and PAM ===
+
 
+
UNDER CONSTRUCTION!
+
 
+
== Server Setup ==
+
 
+
=== Installation ===
+
 
+
The [[OpenLDAP]] server (slapd) and clients are bundled together in the {{pkg|openldap}} package.
+
 
+
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.
+
 
+
=== Populate LDAP Tree with Base Data ===
+
 
+
Create a file called base.ldif with the following text:
+
 
+
# example.org
+
dn: dc=example,dc=org
+
objectClass: dcObject
+
objectClass: organization
+
o: Example Organization
+
dc: example
+
+
# Manager, example.org
+
dn: cn=Manager,dc=example,dc=org
+
cn: Manager
+
description: LDAP administrator
+
roleOccupant: dc=example,dc=org
+
objectClass: organizationalRole
+
objectClass: top
+
+
# People, example.org
+
dn: ou=People,dc=example,dc=org
+
ou: People
+
objectClass: top
+
objectClass: organizationalUnit
+
+
# Group, example.org
+
dn: ou=Group,dc=example,dc=org
+
ou: Group
+
objectClass: top
+
objectClass: organizationalUnit
+
 
+
Add it to your OpenLDAP Tree:
+
 
+
ldapadd -x -D "cn=Manager,dc=example,dc=org" -W -f base.ldif
+
 
+
Test to make sure the data was imported:
+
 
+
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
+
 
+
=== Configure TLS Encryption ===
+
 
+
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.
+
 
+
To create a ''self-signed'' certificate, type the following:
+
 
+
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
+
 
+
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
+
 
+
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:
+
 
+
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
+
chown ldap slapdkey.pem
+
chmod 400 slapdkey.pem
+
chmod 444 slapdcert.pem
+
 
+
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:
+
 
+
# Certificate/SSL Section
+
TLSCipherSuite HIGH:MEDIUM:+SSLv2
+
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
+
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
+
 
+
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards.
+
 
+
To see which ciphers are supported by your local OpenSSL installation, type the following:
+
 
+
openssl ciphers -v ALL
+
 
+
In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:
+
 
+
SLAPD_SERVICES="ldaps:///"
+
 
+
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:
+
 
+
TLS_REQCERT allow
+
 
+
Restart the server:
+
 
+
/etc/rc.d/slapd restart
+
 
+
Test that the server is encrypting traffic run the following command:
+
 
+
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'
+
 
+
== Client Setup ==
+
 
+
=== OpenLDAP ===
+
 
+
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to {{ic|/etc/openldap/ldap.conf}} or you will not be able connect to the server:
+
 
+
TLS_REQCERT allow
+
 
+
 
+
=== NSS_LDAP ===
+
 
+
[[pacman|Install]] the {{pkg|nss_ldap}} module from the [[Official Repositories|official repositories]].
+
 
+
Edit {{ic|/etc/nss_ldap.conf}}:
+
 
+
host <SERVER_IP>
+
base dc=example,dc=org
+
rootbinddn cn=admin,dc=example,dc=org
+
port 636
+
pam_login_attribute uid
+
pam_template_login_attribute uid
+
nss_base_passwd ou=People,dc=example,dc=org?one
+
nss_base_shadow ou=People,dc=example,dc=org?one
+
nss_base_group  ou=Group,dc=example,dc=org?one
+
ssl start_tls
+
ssl on
+
+
# This is only needed if your using a self-signed certificate.
+
tls_checkpeer no
+
 
+
Edit {{ic|/etc/nsswitch.conf}}:
+
 
+
passwd: files ldap
+
group: files ldap
+
shadow: files ldap
+
 
+
=== PAM_LDAP ===
+
 
+
[[pacman|Install]] the {{pkg|pam_ldap}} module from the [[Official Repositories|official repositories]].
+
 
+
Edit {{ic|/etc/pam_ldap.conf}}:
+
 
+
host <SERVER_IP>
+
base dc=example,dc=org
+
rootbinddn cn=admin,dc=example,dc=org
+
port 636
+
pam_login_attribute uid
+
pam_template_login_attribute uid
+
nss_base_passwd ou=People,dc=example,dc=org?one
+
nss_base_shadow ou=People,dc=example,dc=org?one
+
nss_base_group  ou=Group,dc=example,dc=org?one
+
ssl start_tls
+
ssl on
+
+
# This is only needed if your using a self-signed certificate.
+
tls_checkpeer no
+
 
+
Edit {{ic|/etc/pam.d/login}}:
+
 
+
auth            requisite      pam_securetty.so
+
auth            requisite      pam_nologin.so
+
auth            sufficient      pam_ldap.so             
+
auth            required        pam_env.so
+
auth            required        pam_unix.so nullok try_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_access.so
+
account        required        pam_unix.so
+
session        required        pam_motd.so
+
session        required        pam_limits.so
+
session        optional        pam_mail.so dir=/var/spool/mail standard
+
session        optional        pam_lastlog.so
+
session        required        pam_unix.so
+
 
+
Edit {{ic|/etc/pam.d/passwd}}:
+
 
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so shadow md5 nullok
+
 
+
Edit {{ic|/etc/pam.d/shadow}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_permit.so
+
 
+
edit {{ic|/etc/pam.d/su}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            sufficient      pam_rootok.so
+
auth            required        pam_unix.so use_first_pass
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
session        sufficient      pam_ldap.so
+
session        required        pam_unix.so
+
 
+
edit {{ic|/etc/pam.d/sshd}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_securetty.so        #Disable remote root
+
auth            required        pam_unix.so try_first_pass
+
auth            required        pam_nologin.so
+
auth            required        pam_env.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
account        required        pam_time.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so
+
session        required        pam_unix_session.so
+
session        required        pam_limits.so
+
 
+
edit {{ic|/etc/pam.d/other}}:
+
 
+
auth            sufficient      pam_ldap.so
+
auth            required        pam_unix.so
+
account        sufficient      pam_ldap.so
+
account        required        pam_unix.so
+
password        sufficient      pam_ldap.so
+
password        required        pam_unix.so
+
session        required        pam_unix.so
+
 
+
=== Name Service Cache Daemon ===
+
 
+
READ THIS FIRST: [[https://bbs.archlinux.org/viewtopic.php?id=9401 NSCD Bugged in Arch Linux]]
+
 
+
Fix nscd:
+
 
+
mkdir -p /var/db/nscd/
+
mkdir -p /var/run/nscd/
+
 
+
Run nscd:
+
 
+
/etc/rc.d/nscd start
+
 
+
== Links and Resources ==
+
 
+
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]
+
 
+
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]
+
 
+
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]
+

Revision as of 00:59, 6 November 2013