6318
Comment:
|
8695
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
#acl Known:read,write,delete,revert All:read | |
Line 2: | Line 3: |
Line 3: | Line 5: |
OpenLDAP servers set up on mussel (master) and martello (replica) under the DN `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`. All machines are pointing to mussel, most to martello as well. | OpenLDAP servers set up on mussel (master) and motsugo (replica) under the DN `dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au`. All machines are pointing to mussel, most to martello as well. |
Line 6: | Line 8: |
[[TableOfContents]] | <<TableOfContents>> |
Line 21: | Line 23: |
* [http://cpu.sourceforge.net/ cpu] and smbpasswd | * [[http://cpu.sourceforge.net/|cpu]] and smbpasswd |
Line 53: | Line 55: |
So, to set up a solaris client, run `ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7`, edit `/etc/nsswitch.conf` and replace the `hosts:` entry with `files dns`, then add in `pam_ldap.so.1` to `/etc/pam.conf` as detailed [http://www.opensolaris.org/jive/thread.jspa?threadID=23434 here] or in `pam_ldap(4)`. For googlejuice - this may show itself as the error `pam_ldap: no legal authentication method configured` | So, to set up a solaris client, run `ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7`, edit `/etc/nsswitch.conf` and replace the `hosts:` entry with `files dns`, then add in `pam_ldap.so.1` to `/etc/pam.conf` as detailed [[http://www.opensolaris.org/jive/thread.jspa?threadID=23434|here]] or in `pam_ldap(4)`. For googlejuice - this may show itself as the error `pam_ldap: no legal authentication method configured` If you don't have `idsconfig`, you can use `ldapclient genprofile` (the replacement for `ldap_gen_profile`), but something about OpenLDAP or our directory has changed and profiles don't work (producing the undocumented "DUAProfile received from the server has bad format"). So, ala [[http://blog.maniac.nl/index.php/setting-up-ldap-with-openldap-server-solaris-10-aix-61-and-linux-clients/#sol10client|instructions here]], run: {{{ # set up TLS certutil -N -d /var/ldap certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT # manual ldapclient init ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a defaultSearchBase=dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a domainName=ucc.gu.uwa.edu.au \ -a defaultServerList="mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au" \ -a preferredServerList="mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au" \ -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a proxyPassword=SOMEPASSWORD \ -a serviceSearchDescriptor=passwd:ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a serviceSearchDescriptor=group:ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a serviceSearchDescriptor=shadow:ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au # fix up nss to use DNS svccfg -s name-service/switch setprop config/host = astring: \"files dns\" svccfg -s name-service/switch:default refresh svcadm restart name-service/cache }}} This works ok, but I still got the dreaded `pam_ldap: no legal authentication method configured` message until TLS was configured correctly. |
Line 57: | Line 88: |
The Sun LDAP server supports several private LDAP control OIDs (1.3.6.1.4.1.42.2.27.9.5.8, 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5) for the proxy account to obtain account validity information before attempting authentication. If these controls are available, the proxy account doesn't need read access to userPassword, which is good from a security point of view. Unforunately Sun DS doesn't support the LDAP Password Modifiy Extended Operation (defined as 1.3.6.1.4.1.4203.1.11.1 in [http://www.faqs.org/rfcs/rfc3062.html RFC 3062]) which PADL libpam_ldap and samba both use to change unix passwords. | The Sun LDAP server supports several private LDAP control OIDs (1.3.6.1.4.1.42.2.27.9.5.8, 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5) for the proxy account to obtain account validity information before attempting authentication. If these controls are available, the proxy account doesn't need read access to userPassword, which is good from a security point of view. Unforunately Sun DS doesn't support the LDAP Password Modifiy Extended Operation (defined as 1.3.6.1.4.1.4203.1.11.1 in [[http://www.faqs.org/rfcs/rfc3062.html|RFC 3062]]) which PADL libpam_ldap and samba both use to change unix passwords. |
Line 59: | Line 90: |
In theory the extensions could be added, but even [http://www.directorymanager.org/blogs/ldap_controls.html Sun] admits the [http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_sldap.h#312 header files] is all documentation there is. At least opensolaris being free software lets us read the client source to understand why it's not working. Plus the RFC-track password policy seems to do all the private controls do and more. Further testing indicates it actually does work, and ssh keys can be made to work by just skipping libpam_ldap.so in /etc/pam.conf with a specific sshd-keygen account sections. | In theory the extensions could be added, but even [[http://www.directorymanager.org/blogs/ldap_controls.html|Sun]] admits the [[http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_sldap.h#312|header files]] is all documentation there is. At least opensolaris being free software lets us read the client source to understand why it's not working. Plus the RFC-track password policy seems to do all the private controls do and more. Further testing indicates it actually does work, and ssh keys can be made to work by just skipping libpam_ldap.so in /etc/pam.conf with a specific sshd-keygen account sections. |
Line 61: | Line 92: |
So what about Fedora DS? Being a fork of iPlanet, it's very similar to SunDS, including being just as painful as Sun DS to install under Linux, so no real gain there. Plus, it's being converted to FHS at the moment, so we'd just have to reinstall anyway. The documentation is also a little lackluster. Finally, it doesn't support 1.3.6.1.4.1.42.2.27.9.5.8 (which was only [http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 added to SunDS recently] so ssh keys wouldn't work with libpam_ldap.so, not that that's actually a problem. | So what about Fedora DS? Being a fork of iPlanet, it's very similar to SunDS, including being just as painful as Sun DS to install under Linux, so no real gain there. Plus, it's being converted to FHS at the moment, so we'd just have to reinstall anyway. The documentation is also a little lackluster. Finally, it doesn't support 1.3.6.1.4.1.42.2.27.9.5.8 (which was only [[http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0|added to SunDS recently]] so ssh keys wouldn't work with libpam_ldap.so, not that that's actually a problem. = Adding linux machines to the samba domain = This isn't really the spot for this, but I didn't think it warranted a completely new page -- BobAdamson {{{#!irc 11:45 <@Zanchey> who was trying to get motsugo on the domain 11:46 <+tpg> Zanchey: bob 11:47 <@Zanchey> okay, step one, leave ou=computers the fuck alone 11:55 <@Zanchey> step two, run `net rpc join -U zanchey` or whatever 11:56 <@Zanchey> step three, run `net rpc testjoin` and profit 11:56 <@Zanchey> you may wish to consult the convenient samba documentation where this procedure is laid out 11:56 <@Zanchey> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#domain-member-server }}} |
Line 64: | Line 107: |
http://lists.samba.org/archive/samba/2005-March/101579.html [[BR]] http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html [[BR]] http://samba.org/samba/docs/man/Samba-Guide/happy.html [[BR]] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html [[BR]] http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html [[BR]] http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 [[BR]] [http://docs.sun.com/app/docs/doc/816-4556/6maort2to?a=view Solaris offers a nis server syncing from LDAP] [[BR]] [http://www.zytrax.com/books/ldap/ LDAP for Rocket Scientists], easily the most comprehensive of the readable LDAP guides [http://www.packtpub.com/article/installing-and-configuring-the-python-ldap-library-and-binding-to-an-ldap-directory Python LDAP guide] [http://directory.apache.org/studio/ Apache Directory Studio], the only worthwhile GUI client |
http://lists.samba.org/archive/samba/2005-March/101579.html <<BR>> http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html <<BR>> http://samba.org/samba/docs/man/Samba-Guide/happy.html <<BR>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html <<BR>> http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html <<BR>> http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288 <<BR>> [[http://docs.sun.com/app/docs/doc/816-4556/6maort2to?a=view|Solaris offers a nis server syncing from LDAP]] <<BR>> [[http://www.zytrax.com/books/ldap/|LDAP for Rocket Scientists]], easily the most comprehensive of the readable LDAP guides [[http://www.packtpub.com/article/installing-and-configuring-the-python-ldap-library-and-binding-to-an-ldap-directory|Python LDAP guide]] [[http://directory.apache.org/studio/|Apache Directory Studio]], the only worthwhile GUI client ---- CategorySystemAdministration |
This page is for working out the migration of UCC authentication to LDAP.
Current status
OpenLDAP servers set up on mussel (master) and motsugo (replica) under the DN dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au. All machines are pointing to mussel, most to martello as well.
The original Sun LDAP server on manbo which was used to init the database is still around, but not being used.
Contents
Configuration Details
OpenLDAP is configured in /etc/ldap/slapd.conf in a near-defeault configuration, with the exception of using smbk5pwd, ppolicy and syncprov overlays. There's no fancy console thing, but there's other tools you can use, like GQ and LBE. Admin password available upon application to [TRS]. Data is stored in /var/lib/ldap, and there's a syncagent for martello and a proxyagent for the suns.
On manbo, the server root is /var/mps/serverroot, /usr/sbin/directoryserver startconsole starts the managery console thing.
Referrals to UWA
dc=uwa,dc=edu,dc=au goes to ldap://directory.uwa.edu.au:389/o=The%20University%20of%20Western%20Australia eg: ldapsearch -C -x -h manbo -b dc=uwa,dc=edu,dc=au '(cn=Alex Dawson)' also works on mussel.
To Do
- initialize OU entries - done
- load user data from nis and samba - done
- New user creation script, run on manbo?, can use either:
cpu and smbpasswd
- smbldap-tools.
initial version in /home/wheel/bin/ucc-adduser.ldap, to be used on mussel.
- test password changing - successful
- SSL - our own CA or pay for a cert? our own, investigate free certs for *.uwa.edu.au
- Replication? between mussel and martello - done
Bonus crack - user address book, see (minimally functional) demo at https://mussel.ucc.asn.au/contagged-0.5
- Enable LPK on sshds.
User objectClasses
- Structural
- inetOrgPerson
- Auxiliary
- sambaSamAccount
- shadowAccount
Attribute Abuse
- Stick dovecot mail_location in preferredDeliveryMethod - done
- Stick coke balance into directory, use RFC 4527 methods to update
Client configuration
- libnss-ldap
- libpam-ldap
All clients are using SSL, with a copy of the UCC CA which is run from mooneye:/etc/ssl/CA.pl. CAs are managed on Solaris and Tru64 using certutil.
Solaris LDAP clients
Arrgh the documentation is not very clear about what's going on until you already understand it, particularly if you come from an OpenLDAP backgroud.
Basically, instead of binding as the user to the server, the client somehow magically binds with a proxy agent (which doesn't need read access to the user's password mind) and then authenticates the user. So binding as anonymous won't work, since anonymous can't actually bind to the server in a fashion that allows later authentication. Fortunately idsconfig will create the proxy user for you, but you have to understand that you want one first. The exception is if you have SASL/GSSAPI set up, but I think that means you're running kerberos, which we're not.
So, to set up a solaris client, run ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au 130.95.13.7, edit /etc/nsswitch.conf and replace the hosts: entry with files dns, then add in pam_ldap.so.1 to /etc/pam.conf as detailed here or in pam_ldap(4). For googlejuice - this may show itself as the error pam_ldap: no legal authentication method configured
If you don't have idsconfig, you can use ldapclient genprofile (the replacement for ldap_gen_profile), but something about OpenLDAP or our directory has changed and profiles don't work (producing the undocumented "DUAProfile received from the server has bad format").
So, ala instructions here, run:
# set up TLS certutil -N -d /var/ldap certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT # manual ldapclient init ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a defaultSearchBase=dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a domainName=ucc.gu.uwa.edu.au \ -a defaultServerList="mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au" \ -a preferredServerList="mussel.ucc.gu.uwa.edu.au motsugo.ucc.gu.uwa.edu.au" \ -a proxyDN=cn=proxyagent,ou=profile,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a proxyPassword=SOMEPASSWORD \ -a serviceSearchDescriptor=passwd:ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a serviceSearchDescriptor=group:ou=group,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au \ -a serviceSearchDescriptor=shadow:ou=People,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au # fix up nss to use DNS svccfg -s name-service/switch setprop config/host = astring: \"files dns\" svccfg -s name-service/switch:default refresh svcadm restart name-service/cache
This works ok, but I still got the dreaded pam_ldap: no legal authentication method configured message until TLS was configured correctly.
Notes on Sun Directory Server and other LDAP servers
The Sun LDAP server supports several private LDAP control OIDs (1.3.6.1.4.1.42.2.27.9.5.8, 2.16.840.1.113730.3.4.4 and 2.16.840.1.113730.3.4.5) for the proxy account to obtain account validity information before attempting authentication. If these controls are available, the proxy account doesn't need read access to userPassword, which is good from a security point of view. Unforunately Sun DS doesn't support the LDAP Password Modifiy Extended Operation (defined as 1.3.6.1.4.1.4203.1.11.1 in RFC 3062) which PADL libpam_ldap and samba both use to change unix passwords.
In theory the extensions could be added, but even Sun admits the header files is all documentation there is. At least opensolaris being free software lets us read the client source to understand why it's not working. Plus the RFC-track password policy seems to do all the private controls do and more. Further testing indicates it actually does work, and ssh keys can be made to work by just skipping libpam_ldap.so in /etc/pam.conf with a specific sshd-keygen account sections.
So what about Fedora DS? Being a fork of iPlanet, it's very similar to SunDS, including being just as painful as Sun DS to install under Linux, so no real gain there. Plus, it's being converted to FHS at the moment, so we'd just have to reinstall anyway. The documentation is also a little lackluster. Finally, it doesn't support 1.3.6.1.4.1.42.2.27.9.5.8 (which was only added to SunDS recently so ssh keys wouldn't work with libpam_ldap.so, not that that's actually a problem.
Adding linux machines to the samba domain
This isn't really the spot for this, but I didn't think it warranted a completely new page -- BobAdamson
1 11:45 <@Zanchey> who was trying to get motsugo on the domain
2 11:46 <+tpg> Zanchey: bob
3 11:47 <@Zanchey> okay, step one, leave ou=computers the fuck alone
4 11:55 <@Zanchey> step two, run `net rpc join -U zanchey` or whatever
5 11:56 <@Zanchey> step three, run `net rpc testjoin` and profit
6 11:56 <@Zanchey> you may wish to consult the convenient samba documentation where this procedure is laid out
7 11:56 <@Zanchey> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#domain-member-server
Useful URLs
http://lists.samba.org/archive/samba/2005-March/101579.html
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
http://samba.org/samba/docs/man/Samba-Guide/happy.html
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html
http://www.nabble.com/anonymous-binding---is-it-needed---t1261737.html
http://groups.google.com/group/comp.unix.solaris/msg/10e8a62bad96f288
Solaris offers a nis server syncing from LDAP
LDAP for Rocket Scientists, easily the most comprehensive of the readable LDAP guides Python LDAP guide Apache Directory Studio, the only worthwhile GUI client