Difference between revisions of "User:Alexmat"

From ArchWiki
Jump to: navigation, search
Line 1: Line 1:
 
[http://wiki.archlinux.org/index.php/User:Alexmat:Manual_CK_Kernel_Install Manual CK Kernel Install]
 
[http://wiki.archlinux.org/index.php/User:Alexmat:Manual_CK_Kernel_Install Manual CK Kernel Install]
 
= Secure OpenLDAP Autentication for a Small Network =
 
 
== Introduction and Concepts ==
 
 
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]] which is very well written. Unfortunately Arch Linux has some differences in the way things are setup. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distro specific tools (i.e. authconfig). This guide is written specifically with Arch linux in mind and will try to illustrate both LDAP concepts and implementaion from the point of view of someone who has never used LDAP before (i.e. the author).
 
 
=== OpenLDAP ===
 
 
UNDER CONSTRUCTION!
 
 
=== NSS and PAM ===
 
 
UNDER CONSTRUCTION!
 
 
== Server Setup ==
 
 
=== Install OpenLDAP ===
 
 
pacman -Sy openldap
 
 
 
=== Configure OpenLDAP ===
 
 
Generate root password:
 
 
slappasswd -h {SSHA}
 
 
Edit /etc/openldap/slapd.conf
 
  EXPAND ON THIS
 
 
Start OpenLDAP:
 
 
/etc/rc.d/slapd start
 
 
 
=== Populate LDAP Tree with Base Data ===
 
 
Create a file called base.ldif with the following text:
 
 
# example.org
 
dn: dc=example,dc=org
 
objectClass: dcObject
 
objectClass: organization
 
o: Example Organization
 
dc: example.org
 
 
# admin, example.org
 
dn: cn=admin,dc=example,dc=org
 
cn: admin
 
description: LDAP administrator
 
roleOccupant: dc=example,dc=org
 
objectClass: organizationalRole
 
objectClass: top
 
 
# People, example.org
 
dn: ou=People,dc=example,dc=org
 
ou: People
 
objectClass: top
 
objectClass: organizationalUnit
 
 
# Group, example.org
 
dn: ou=Group,dc=example,dc=org
 
ou: Group
 
objectClass: top
 
objectClass: organizationalUnit
 
 
Add it to your OpenLDAP Tree:
 
 
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
 
 
Test to make sure the data was imported:
 
 
ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'
 
 
=== Configure TLS Encryption ===
 
 
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.
 
 
To create a ''self-signed'' certificate, type the following:
 
 
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
 
 
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
 
 
Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key.
 
 
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
 
chmod 400 slapdkey.pem
 
chmod 444 slapdcert.pem
 
 
Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:
 
 
# Certificate/SSL Section
 
TLSCipherSuite HIGH:MEDIUM:+SSLv2
 
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
 
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
 
 
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards.
 
 
To see which ciphers are supported by your local OpenSSL installation, type the following:
 
 
openssl ciphers -v ALL
 
 
In order to tell OpenLDAP to start using encryption edit /etc/rc.d/slapd and change
 
 
stat_busy "Starting OpenLDAP"
 
    [ -z "$PID" ] && /usr/sbin/slapd
 
 
to
 
 
stat_busy "Starting OpenLDAP"
 
    [ -z "$PID" ] && `/usr/sbin/slapd -h ldaps:///`
 
 
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:
 
 
TLS_REQCERT allow
 
 
Restart the server:
 
 
/etc/rc.d/slapd restart
 
 
Test that the server is encrypting traffic run the following command:
 
 
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'
 
 
 
== Client Setup ==
 
 
=== OpenLDAP ===
 
 
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server:
 
 
TLS_REQCERT allow
 
 
 
=== NSS_LDAP ===
 
 
Install the nss_ldap module:
 
 
pacman -Sy nss_ldap
 
 
Edit /etc/nss_ldap.conf:
 
 
host <SERVER_IP>
 
base dc=example,dc=org
 
rootbinddn cn=admin,dc=example,dc=org
 
port 636
 
pam_login_attribute uid
 
pam_template_login_attribute uid
 
nss_base_passwdou=People,dc=example,dc=org?one
 
nss_base_shadowou=People,dc=example,dc=org?one
 
nss_base_group  ou=Group,dc=example,dc=org?one
 
ssl start_tls
 
ssl on
 
 
# This is only needed if your using a self-signed certificate.
 
tls_checkpeer no
 
 
Edit /etc/nsswitch.conf
 
 
passwd: files ldap
 
group: files ldap
 
shadow: files ldap
 
 
 
=== PAM_LDAP ===
 
 
Install pam_ldap module:
 
 
pacman -Sy pam_ldap
 
 
Edit /etc/pam_ldap.conf:
 
 
host <SERVER_IP>
 
base dc=example,dc=org
 
rootbinddn cn=admin,dc=example,dc=org
 
port 636
 
pam_login_attribute uid
 
pam_template_login_attribute uid
 
nss_base_passwdou=People,dc=example,dc=org?one
 
nss_base_shadowou=People,dc=example,dc=org?one
 
nss_base_group  ou=Group,dc=example,dc=org?one
 
ssl start_tls
 
ssl on
 
 
# This is only needed if your using a self-signed certificate.
 
tls_checkpeer no
 
 
Edit /etc/pam.d/login:
 
 
auth            requisite      pam_securetty.so
 
auth            requisite      pam_nologin.so
 
auth            sufficient      pam_ldap.so             
 
auth            required        pam_env.so
 
auth            required        pam_unix.so nullok try_first_pass
 
account        sufficient      pam_ldap.so
 
account        required        pam_access.so
 
account        required        pam_unix.so
 
session        required        pam_motd.so
 
session        required        pam_limits.so
 
session        optional        pam_mail.so dir=/var/spool/mail standard
 
session        optional        pam_lastlog.so
 
session        required        pam_unix.so
 
 
Edit /etc/pam.d/passwd:
 
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so shadow md5 nullok
 
 
Edit /etc/pam.d/shadow:
 
 
auth            sufficient      pam_ldap.so
 
auth            sufficient      pam_rootok.so
 
auth            required        pam_unix.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
session        sufficient      pam_ldap.so
 
session        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_permit.so
 
 
edit /etc/pam.d/su:
 
 
auth            sufficient      pam_ldap.so
 
auth            sufficient      pam_rootok.so
 
auth            required        pam_unix.so use_first_pass
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
session        sufficient      pam_ldap.so
 
session        required        pam_unix.so
 
 
edit /etc/pam.d/sshd:
 
 
auth            sufficient      pam_ldap.so
 
auth            required        pam_securetty.so        #Disable remote root
 
auth            required        pam_unix.so try_first_pass
 
auth            required        pam_nologin.so
 
auth            required        pam_env.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
account        required        pam_time.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix_session.so
 
session        required        pam_limits.so
 
 
edit /etc/pam.d/other:
 
 
auth            sufficient      pam_ldap.so
 
auth            required        pam_unix.so
 
account        sufficient      pam_ldap.so
 
account        required        pam_unix.so
 
password        sufficient      pam_ldap.so
 
password        required        pam_unix.so
 
session        required        pam_unix.so
 
 
=== Name Service Cache Deamon ===
 
 
READ THIS FIRST: [[http://bbs.archlinux.org/viewtopic.php?t=9401 NSCD Bugged in Arch Linux]]
 
 
Fix nscd:
 
 
mkdir -p /var/db/nscd/
 
mkdir -p /var/run/nscd/
 
 
Run nscd:
 
 
/etc/rc.d/nscd start
 
 
== Links and Resources ==
 
 
Eliott's (cactus) guide for a RedHat Server: [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]]
 
 
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]
 
 
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]
 
 
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]
 
 
 
  
 
= Network File System Setup =
 
= Network File System Setup =

Revision as of 00:48, 18 September 2005

Manual CK Kernel Install

Network File System Setup

Introduction and Concepts

Server Setup

Verify/Compile Kernel NFS Support

For Kernel 2.6:

cd /usr/src/linux
make menuconfig
File Systems --->
 Network File Systems --->
 <*> NFS file system support
 [*]   Provide NFSv3 client support
 [ ]   Provide NFSv4 client support (EXPERIMENTAL)
 [ ]   Allow direct I/O on NFS files (EXPERIMENTAL)
 <*> NFS server support
 [*]   Provide NFSv3 server support
 [ ]   Provide NFS server over TCP support (EXPERIMENTAL)
 < > Secure RPC: Kerberos V mechanism (EXPERIMENTAL)
 < > SMB file system support (to mount Windows shares etc.)
 < > CIFS support (advanced network filesystem for Samba, Window and o...)
 < > NCP file system support (to mount NetWare volumes)
 < > Coda file system support (advanced network fs)
 < > Andrew File System support (AFS) (Experimental)

Install nfs-utils:

pacman -Sy nfs-utils

Edit /etc/exports:

/dir/toshare 192.168.1.0/24(rw,sync)

Update exports:

exportfs -a

Edit /etc/conf.d/nfsd and modify the following line to read:

MOUNTD_OPTS="--nfs-version 3"

Edit /etc/hosts.allow:

portmap: ALL
lockd: ALL
mountd: ALL

WARNING: Change ALL to a more secure setting! Only use that for initial testing.

Start nfs services:

/etc/rc.d/portmap start
/etc/rc.d/nfslock start
/etc/rc.d/nfsd start

Test your setup:

rpcinfo -p

After you've tested your setup and it works, add these services to the daemons list in /etc/rc.conf.


Client Setup

For Kernel 2.6:

cd /usr/src/linux
make menuconfig
File Systems --->
 Network File Systems --->
 <*> NFS file system support
 [*]   Provide NFSv3 client support
 [ ]   Provide NFSv4 client support (EXPERIMENTAL)
 [ ]   Allow direct I/O on NFS files (EXPERIMENTAL)
 < > NFS server support
 < > Secure RPC: Kerberos V mechanism (EXPERIMENTAL)
 < > SMB file system support (to mount Windows shares etc.)
 < > CIFS support (advanced network filesystem for Samba, Window and o...)
 < > NCP file system support (to mount NetWare volumes)
 < > Coda file system support (advanced network fs)
 < > Andrew File System support (AFS) (Experimental)

Start portmap:

/etc/rc.d/portmap start

Test your connection to the server:

rpcinfo -p -u server

Mount a share:

mount server:/shared/dir /mnt/share


Auto File System Mounter

Install

pacman -Sy autofs

Automount Home Directory

Edit /etc/autofs/auto.master:

/home /etc/autofs/auto.home --timeout 600

Edit /etc/autofs/auto.home:

*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp 192.168.1.11:/home:&

Start AutoFS

/etc/rc.d/autofs start

add to daemons too :)

Network Time Protocol Daemon Setup

Install

pacman -Sy ntp

Configure

# default restrictions
restrict default noquery notrust nomodify

# override the default restrictions
restrict 192.168.1.0 mask 255.255.255.0 nomodify

# public NTP servers to sync with
server bigben.cac.washington.edu
server time-nw.nist.gov
server tick.ucla.edu

restrict bigben.cac.washington.edu noquery nomodify
restrict time-nw.nist.gov noquery nomodify
restrict tick.ucla.edu noquery nomodify

# NTP drift file
driftfile /etc/ntp.drift

# NTP log file
logfile /var/log/ntp.log

Prevent DHCP Overwrite of /etc/ntp.conf

Edit /etc/conf.d/dhcpcd:

DHCPCD_ARGS="-t 30 -h $HOSTNAME -N"

Sync Time with Stratum 1 Server on Boot

Edit /etc/rc.d/ntpsync:

. /etc/rc.conf
. /etc/rc.d/functions

# Sync with Stratum 1 time server
stat_busy "Syncing System Clock"
/usr/bin/ntpdate -s bigben.cac.washington.edu
stat_done

Set executable:

chmod +x /etc/rc.d/ntpsync

Add NTPD to Daemon Startup List

Edit /etc/rc.conf:

Daemons(... ntpsync ntpd ...)


Jabberd2 using MySQL storage and OpenLDAP authentication

READ THIS!

If you have any problems at all, the official [Jabberd2 documentation] is superb!

Build Jabberd2 with MySQL and OpenLDAP Support

Copy the official arch build from /var/abs/extra/daemons/jabberd. Edit the PKGBUILD and add mysql and ldap support. Dont delete the SRC directory after your done, you'll need the mysql script in there to populate your initial database.

RTFM

The manual above walks you through the install of Jabberd very well. Make sure your ids are the same and look to /var/log/errors.log and /var/log/everything.log for help if you get stuck.