Differences between revisions 11 and 15 (spanning 4 versions)
Revision 11 as of 2007-02-16 21:01:56
Size: 3376
Comment: it works!
Revision 15 as of 2007-02-20 23:31:15
Size: 5869
Comment: openldap ssh solution
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
Sun LDAP server on manbo set up, DN is `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`. Samba on manbo is pointing at it, as is sacheto and cobbler. Sun LDAP server on manbo set up, DN is `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`. Samba on manbo was pointing at it, as were sacheto and cobbler. A dump of this DB has been imported into OpenLDAP on mussel, which sacheto and samba on manbo are currently pointing at.
Line 12: Line 12:
OpenLDAP is configured in `/etc/ldap/slapd.conf` in a near-defeault configuration, with the exception of using hdb and smbk5pwd. There's no fancy console thing, but there's other tools you can use, like GQ and LBE.
Line 13: Line 15:
`dc=uwa,dc=edu,dc=au` goes to `ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia` eg: `ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'` `dc=uwa,dc=edu,dc=au` goes to `ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia` eg: `ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)'` also works on mussel.
Line 22: Line 24:
 * SSL - our own CA or pay for a cert?
 * Replication?
 * SSL - our own CA or pay for a cert? our own, investigate free certs for *.uwa.edu.au
 * Replication? between mussel and martello
Line 35: Line 37:
Stick dovecot mail_location in preferredDeliveryMethod  * Stick dovecot mail_location in preferredDeliveryMethod
 * Stick coke balance into directory, use RFC 4527 methods to update
Line 53: Line 56:
= Notes on Sun Directory Server and other LDAP servers =

The Sun LDAP server supports several private LDAP control OIDs (1.3.6.1.4.1.42.2.27.9.5.8, 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5) for the proxy account to obtain account validity information before attempting authentication. If these controls are available, the proxy account doesn't need read access to userPassword, which is good from a security point of view. Unforunately Sun DS doesn't support the LDAP Password Modifiy Extended Operation (defined as 1.3.6.1.4.1.4203.1.11.1 in [http://www.faqs.org/rfcs/rfc3062.html RFC 3062]) which PADL libpam_ldap and samba both use to change unix passwords.

In theory the extensions could be added, but even [http://www.directorymanager.org/blogs/ldap_controls.html Sun] admits the [http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_sldap.h#312 header files] is all documentation there is. At least opensolaris being free software lets us read the client source to understand why it's not working. Plus the RFC-track password policy seems to do all the private controls do and more. Further testing indicates it actually does work, and ssh keys can be made to work by just skipping libpam_ldap.so in /etc/pam.conf with a specific sshd-keygen account sections.

So what about Fedora DS? Being a fork of iPlanet, it's very similar to SunDS, including being just as painful as Sun DS to install under Linux, so no real gain there. Plus, it's being converted to FHS at the moment, so we'd just have to reinstall anyway. The documentation is also a little lackluster. Finally, it doesn't support 1.3.6.1.4.1.42.2.27.9.5.8 (which was only [http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 added to SunDS recently] so ssh keys wouldn't work with libpam_ldap.so, not that that's actually a problem.
Line 59: Line 70:
http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 [[BR]]
[http://docs.sun.com/app/docs/doc/816-4556/6maort2to?a=view Solaris offers a nis server syncing from LDAP]

This page is for working out the migration of UCC authentication to LDAP.

Current status

Sun LDAP server on manbo set up, DN is dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au. Samba on manbo was pointing at it, as were sacheto and cobbler. A dump of this DB has been imported into OpenLDAP on mussel, which sacheto and samba on manbo are currently pointing at.

TableOfContents

Configuration Details

Server root is /var/mps/serverroot, admin passwords available upon application to [TRS]. /usr/sbin/directoryserver startconsole starts the managery console thing.

OpenLDAP is configured in /etc/ldap/slapd.conf in a near-defeault configuration, with the exception of using hdb and smbk5pwd. There's no fancy console thing, but there's other tools you can use, like GQ and LBE.

Referrals to UWA

dc=uwa,dc=edu,dc=au goes to ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia eg: ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)' also works on mussel.

To Do

  • initialize OU entries - done
  • load user data from nis and samba - done
  • New user creation script, run on manbo?, can use either:
    • [http://cpu.sourceforge.net/ cpu] and smbpasswd

    • smbldap-tools.
    • initial version in /home/wheel/bin/ucc-adduser.ldap, to be used on mussel.

  • SSL - our own CA or pay for a cert? our own, investigate free certs for *.uwa.edu.au
  • Replication? between mussel and martello
  • Bonus crack - user address book, see (minimally functional) demo at http://mussel.ucc.asn.au/contagged-0.5

  • Enable LPK on sshds.

User objectClasses

  • Structural
    • inetOrgPerson
  • Auxiliary
    • sambaSamAccount
    • shadowAccount

Attribute Abuse

  • Stick dovecot mail_location in preferredDeliveryMethod
  • Stick coke balance into directory, use RFC 4527 methods to update

Client configuration

  • libnss-ldap
    • nss_base_passwd ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au (should be the default)

    • and for hosts with samba: nss_base_passwd ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au

  • libpam-ldap

morwong will only accept {crypt} passwords. Maybe make ignore this and just make morwong ssh-key only?

Solaris LDAP clients

Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud.

Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not.

So, to set up a solaris client, run ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7, edit /etc/nsswitch.conf and replace the hosts: entry with files dns, then add in pam_ldap.so.1 to /etc/pam.conf as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in pam_ldap(4). For googlejuice - this may show itself as the error pam_ldap: no legal authentication method configured

Notes on Sun Directory Server and other LDAP servers

The Sun LDAP server supports several private LDAP control OIDs (1.3.6.1.4.1.42.2.27.9.5.8, 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5) for the proxy account to obtain account validity information before attempting authentication. If these controls are available, the proxy account doesn't need read access to userPassword, which is good from a security point of view. Unforunately Sun DS doesn't support the LDAP Password Modifiy Extended Operation (defined as 1.3.6.1.4.1.4203.1.11.1 in [http://www.faqs.org/rfcs/rfc3062.html RFC 3062]) which PADL libpam_ldap and samba both use to change unix passwords.

In theory the extensions could be added, but even [http://www.directorymanager.org/blogs/ldap_controls.html Sun] admits the [http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_sldap.h#312 header files] is all documentation there is. At least opensolaris being free software lets us read the client source to understand why it's not working. Plus the RFC-track password policy seems to do all the private controls do and more. Further testing indicates it actually does work, and ssh keys can be made to work by just skipping libpam_ldap.so in /etc/pam.conf with a specific sshd-keygen account sections.

So what about Fedora DS? Being a fork of iPlanet, it's very similar to SunDS, including being just as painful as Sun DS to install under Linux, so no real gain there. Plus, it's being converted to FHS at the moment, so we'd just have to reinstall anyway. The documentation is also a little lackluster. Finally, it doesn't support 1.3.6.1.4.1.42.2.27.9.5.8 (which was only [http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 added to SunDS recently] so ssh keys wouldn't work with libpam_ldap.so, not that that's actually a problem.

Useful URLs

http://lists.samba.org/archive/samba/2005-March/101579.html BR http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html BR http://samba.org/samba/docs/man/Samba-Guide/happy.html BR http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html BR http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html BR http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 BR [http://docs.sun.com/app/docs/doc/816-4556/6maort2to?a=view Solaris offers a nis server syncing from LDAP]