Difference between revisions of "Configuring authentication with openLDAP server"
m |
m |
||
(18 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring authentication with openLDAP server|Authentication through LDAP]] | |||
=LDAP server configuration= | |||
==Necessary schema== | |||
Schema file nis.schema should be included in slapd.conf for being able to add posixAccount or shadowAccount entry. | Schema file nis.schema should be included in slapd.conf for being able to add posixAccount or shadowAccount entry. | ||
==User accounts== | |||
First user accounts or groups should be created on ldap | First user accounts or groups should be created on ldap | ||
server. A sample ldif file that can be used create a user | server. A sample ldif file that can be used create a user | ||
Line 24: | Line 23: | ||
homeDirectory: /home/saurabh | homeDirectory: /home/saurabh | ||
loginShell: /bin/bash | loginShell: /bin/bash | ||
gecos: | gecos: Hyderabad, India | ||
userPassword: | userPassword: rekall123 | ||
shadowLastChange: 0 | shadowLastChange: 0 | ||
shadowMax: | shadowMax: -1 | ||
shadowWarning: | shadowWarning: 30 | ||
</pre> | </pre> | ||
Note: | |||
*'''Unless shadowMax is set to -1, due to some bug many LDAP clients think LDAP password is expired even when it is changed a minute ago.''' | |||
==Group accounts== | |||
To create a group account sample ldif file is: | To create a group account sample ldif file is: | ||
Line 40: | Line 41: | ||
objectClass: posixGroup | objectClass: posixGroup | ||
cn: group1 | cn: group1 | ||
userPassword: | userPassword: rekall123 | ||
gidNumber: 3000 | gidNumber: 3000 | ||
memberuid: saurabh | memberuid: saurabh | ||
Line 65: | Line 66: | ||
=Linux host authentication= | |||
To configure a linux host to authenticate from ldap server | To configure a linux host to authenticate from ldap server | ||
use following steps: | use following steps: | ||
#<tt>yum install openldap-clients openldap nss-pam-ldapd</tt> | #<tt>yum install openldap-clients openldap nss-pam-ldapd</tt> | ||
#Check if sssd package is installed using '<tt>rpm -qa | grep sssd</tt>'. If it is installed remove it using '<tt>yum remove sssd</tt>'. If some ipa-* packages also need to be removed then it is fine. | #Check if sssd package is installed using '<tt>rpm -qa | grep sssd</tt>'. If it is installed remove it using '<tt>yum remove sssd sssd-*</tt>'. If some ipa-* packages also need to be removed then it is fine. | ||
#Start <tt>setup</tt> program and use following steps: | #Start <tt>setup</tt> program and use following steps: | ||
## Choose 'Authentication configuration' | ## Choose 'Authentication configuration' | ||
Line 106: | Line 107: | ||
#::session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 | #::session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 | ||
#:</pre> | #:</pre> | ||
#::Note that this creates only last folder. Thus if home folder is /home/group1/user1 and if /home/group1 folder does not exists then the home folder creation will fail. To solve this to some extent use following command: | |||
#:::<pre> | |||
#:::: ldapsearch -x -h ldap.sbarjatiya.com -b 'dc=sbarjatiya,dc=com' -LLL homeDirectory | grep homeDirectory | sed 's/\/[^\/]*$//g' | sort | uniq -d | sed 's/homeDirectory: //g' | |||
#:::</pre> | |||
#::::To get list of base folders that must exist for user home folders to be created. Further the output of above command can be piped to "| xargs mkdir -p" for automated folder creation. | |||
#Edit '<tt>/etc/nsswitch.conf</tt>' and for '<tt>hosts</tt>' choose value '<tt>files ldap dns</tt>' | #Edit '<tt>/etc/nsswitch.conf</tt>' and for '<tt>hosts</tt>' choose value '<tt>files ldap dns</tt>' | ||
#:''Note that you should not see sss anywhere in this file. If you see sss instead of ldap then you have forgotten to remove sssd as mentioned earlier in these steps'' | #:''Note that you should not see sss anywhere in this file. If you see sss instead of ldap then you have forgotten to remove sssd as mentioned earlier in these steps'' | ||
Line 112: | Line 118: | ||
===Verifying setup | Most of this can be done using single line: | ||
<pre> | |||
authconfig --enableldap --enableldapauth --ldapserver=ldap.sbarjatiya.com --ldapbasedn="ou=Users,dc=sbarjatiya,dc=com" --enablelocauthorize --enablepamaccess --enablemkhomedir --enablecachecreds --enablecache --updateall | |||
</pre> | |||
On Fedora-20, CentOS 7 or CentOS 6.7 etc. one may need to do following additional steps: | |||
#Remove dependency on sss from pam | |||
#:<pre> | |||
#::cd /etc/pam.d; sed -i 's/^.*sss.*$//g' * | |||
#:</pre> | |||
#::Also add this line to /etc/rc.d/rc.local so that regenrated pam files are again modified | |||
#Remove all references to sss from /etc/nsswitch.conf. Add ldap at least for passwd, shadow and group after files. | |||
#Disable SELinux (Esp for GUI logins) | |||
==Verifying setup== | |||
To verify whether authentication setup is working or not | To verify whether authentication setup is working or not | ||
Line 126: | Line 147: | ||
==Restricting logins to specific users and posixGroups== | |||
To restrict logins on a machine to specific users or posixGroups use: | To restrict logins on a machine to specific users or posixGroups use: | ||
Line 148: | Line 169: | ||
==Password change== | |||
If user tries to ssh or login using credentials then he/she would be forced to change password on first login. During password change user would be asked for existing ldap password again through which user has logged in. Then user would have option of entering new password twice. After password is set user would be logged off automatically. Then user can login again by using ssh and entering new password. | If user tries to ssh or login using credentials then he/she would be forced to change password on first login. During password change user would be asked for existing ldap password again through which user has logged in. Then user would have option of entering new password twice. After password is set user would be logged off automatically. Then user can login again by using ssh and entering new password. | ||
Line 154: | Line 175: | ||
==Mediawiki Authentication | =Mediawiki Authentication= | ||
Refer [[Mediawiki Authentication using ldap]] | |||
=Squid proxy authentication= | |||
To enable ldap based authentication for squid use: | |||
''Earlier name of authentication plugin was squid_ldap_auth. On older installations replace basic_ldap_auth with squid_ldap_auth appropriately.'' | |||
#First find location of program named '<tt>basic_ldap_auth</tt>' and run it as follows: | |||
#First find location of program named '<tt> | |||
#:<pre> | #:<pre> | ||
#::/usr/lib64/squid/ | #::/usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server> | ||
#:</pre> | #:</pre> | ||
#:The command will not give any prompt and expect '<tt><username> <password></tt>' as input. | #:The command will not give any prompt and expect '<tt><username> <password></tt>' as input. | ||
Line 199: | Line 196: | ||
#::acl login-users src <IP-range> | #::acl login-users src <IP-range> | ||
#:: | #:: | ||
#::auth_param basic program /usr/lib64/squid/ | #::auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server> | ||
#::acl ldapauth proxy_auth REQUIRED | #::acl ldapauth proxy_auth REQUIRED | ||
#::http_access allow login-users ldapauth | #::http_access allow login-users ldapauth | ||
Line 205: | Line 202: | ||
#:This would cause all users connecting from given IP-range to be authenticated. For others one can use '<tt>http_access allow all</tt>' or '<tt>http_access deny all</tt>' etc. based on situation. | #:This would cause all users connecting from given IP-range to be authenticated. For others one can use '<tt>http_access allow all</tt>' or '<tt>http_access deny all</tt>' etc. based on situation. | ||
In case of LDAPS use -H ldaps://<server>:<port> instead of -h and ensure that CA certificate is mentioned in /etc/openldap/ldap.conf file using TLS_CACERT directive. | |||
=Quick Linux host authentication using LDAP without using setup or authconfig= | |||
*yum -y remove sssd | |||
*Edit /etc/nslcd.conf | |||
**Change uri, base. (Example uri ldap://ldap.sbarjatiya.com/ Note if FQDN is used then add corresponding entry to /etc/hosts. Or use IP address) | |||
**Append following lines | |||
<pre> | |||
ssl off | |||
timelimit 10 | |||
idle_timelimit 30 | |||
reconnect_sleeptime 30 | |||
reconnect_retrytime 90 | |||
</pre> | |||
*Edit /etc/nssswitch.conf and change passwd, group, shadow, hosts to use ldap (Example value "files ldap" without quotes) | |||
*Edit /etc/openldap/ldap.conf and append values for BASE, URI same as done for /etc/nslcd.conf | |||
*Edit /etc/pam.d/fingerprint-auth-ac to authenticate with LDAP | |||
*Edit /etc/pam.d/password-auth-ac to authenticate with LDAP | |||
*Edit /etc/pam.d/smartcard-auth-ac to authenticate with LDAP | |||
*Edit /etc/pam.d/system-auth-ac to authenticate with LDAP | |||
*Edit /etc/pam.d/sshd to authenticate with LDAP | |||
*Use commands | |||
<pre> | |||
rm -f /etc/pam.d/fingerprint-auth | |||
rm -f /etc/pam.d/password-auth | |||
rm -f /etc/pam.d/smartcard-auth | |||
rm -f /etc/pam.d/system-auth | |||
ln -s /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth | |||
ln -s /etc/pam.d/password-auth-ac /etc/pam.d/password-auth | |||
ln -s /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth | |||
ln -s /etc/pam.d/system-auth-ac /etc/pam.d/system-auth | |||
</pre> | |||
*Edit /etc/pam_ldap.conf | |||
**Replace values for host and base (Example host ldap.sbarjatiya.com. Again if FQDN is used add corresponding entry in /etc/hosts or use IP instead) | |||
**Also append (Example <uri> ldap://ldap.sbarjatiya.com/) | |||
<pre> | |||
uri <uri> | |||
ssl off | |||
pam_password md5 | |||
</pre> | |||
*Use commands | |||
<pre> | |||
service nslcd restart | |||
chkconfig nslcd on | |||
</pre> | |||
*Verify as mentioned at [[#Verifying_setup]] | |||
=Converting quick host authentication to use TLS= | |||
*Edit /etc/nslcd.conf | |||
**change URI to ldaps://ldap.sbarjatiya.com/ | |||
**Add following config lines | |||
<pre> | |||
tls_reqcert hard | |||
tls_cacertfile /etc/openldap/certs/ca.crt | |||
</pre> | |||
*Edit /etc/pam_ldap.conf | |||
**Ensure host entry points to FQDN and not to IP | |||
**Update file so that | |||
<pre> | |||
uri ldaps://ldap.sbarjatiya.com | |||
ssl on | |||
pam_password md5 | |||
tls_cacertfile /etc/openldap/certs/ca.crt | |||
</pre> | |||
*Edit /etc/openldap/ldap.conf and ensure | |||
<pre> | |||
BASE dc=sbarjatiya,dc=com | |||
URI ldaps://ldap.sbarjatiya.com/ | |||
TLS_CACERT /etc/openldap/certs/ca.crt | |||
</pre> | |||
*Ensure /etc/hosts can resolve FQDN (ldap.sbarjatiya.com) to IP, in case corresponding DNS entry is not present | |||
*Copy certificates to /etc/openldap/certs and update permission using: | |||
<pre> | |||
chown -R ldap:ldap /etc/openldap/certs/ | |||
chmod 755 /etc/openldap/certs/ca.crt | |||
</pre> | |||
*Note that ca.crt should be readable by nslcd | |||
*Deleted old cn=config format entries and create new ones using (These steps can take considerable time): | |||
<pre> | |||
rm -rf /etc/openldap/slapd.d/* | |||
slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ -u ldap -h 'ldaps://ldap.sbarjatiya.com/' | |||
service slapd restart | |||
</pre> | |||
*service nslcd restart | |||
*Verify using | |||
<pre> | |||
ldapsearch -x -LLL #Should work | |||
ldapsearch -x -LLL -ZZ #Should fail because TLS already started | |||
ldapsearch -x -LLL -H ldap://ldap2.rekall.com/ #Should fails as cannot connect to port 389 | |||
ldapsearch -x -LLL -H ldaps://ldap2.rekall.com/ #Should work | |||
getent hosts | |||
getent passwd | |||
</pre> | |||
=Automated LDAP client configuration using ansible= | |||
For automated LDAP client configuration for OS where LDAP users might also login using GUI use automation described at [[Configure machines as LDAP client for graphical LDAP user login]] | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Configuring authentication with openLDAP server|Authentication through LDAP]] |
Latest revision as of 15:21, 13 March 2022
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Authentication through LDAP
LDAP server configuration
Necessary schema
Schema file nis.schema should be included in slapd.conf for being able to add posixAccount or shadowAccount entry.
User accounts
First user accounts or groups should be created on ldap server. A sample ldif file that can be used create a user is:
dn: uid=saurabh,ou=people,dc=sbarjatiya,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: Saurabh Barjatiya uid: saurabh uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/saurabh loginShell: /bin/bash gecos: Hyderabad, India userPassword: rekall123 shadowLastChange: 0 shadowMax: -1 shadowWarning: 30
Note:
- Unless shadowMax is set to -1, due to some bug many LDAP clients think LDAP password is expired even when it is changed a minute ago.
Group accounts
To create a group account sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com objectClass: top objectClass: posixGroup cn: group1 userPassword: rekall123 gidNumber: 3000 memberuid: saurabh
To add member to group sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com changetype: modify add: memberuid memberuid: saurabh.barjatiya
To delete member from group sample ldif file is:
dn: cn=group1,ou=groups,dc=sbarjatiya,dc=com changetype: modify delete: memberuid memberuid: saurabh.barjatiya
Linux host authentication
To configure a linux host to authenticate from ldap server use following steps:
- yum install openldap-clients openldap nss-pam-ldapd
- Check if sssd package is installed using 'rpm -qa | grep sssd'. If it is installed remove it using 'yum remove sssd sssd-*'. If some ipa-* packages also need to be removed then it is fine.
- Start setup program and use following steps:
- Choose 'Authentication configuration'
- Select 'Use ldap'
- Select 'Use ldap authentication'
- Go to next screen with next button
- Do not check Use TLS
- Enter server name, for example ldap://ldap.virtual-labs.ac.in/
- Enter server basedn, for example, dc=virtual-labs,dc=ac,dc=in
- Complete configuration with ok button
- Close setup program with quit button
- Edit '/etc/hosts' file and add static entry for ldap server, for example '12.4.12.152 ldap.virtual-labs.ac.in'
- Edit '/etc/pam_ldap.conf' and replace lines at end that start with uri with following:
- uri ldaps://ldap.virtual-labs.ac.in/
- ssl on
- tls_cacertfile /etc/openldap/certs/ca.crt
- pam_password md5
- Go to '/etc/openldap/certs' and put CA certificate in the directory with name ca.crt
- Edit '/etc/nslcd.conf' and replace lines at end that start with uri with following:
- uri ldaps://ldap.virtual-labs.ac.in/
- base dc=virtual-labs,dc=ac,dc=in
- ssl on
- timelimit 10
- idle_timelimit 30
- reconnect_sleeptime 30
- reconnect_retrytime 90
- tls_reqcert hard
- tls_cacertfile /etc/openldap/certs/ca.crt
- Edit '/etc/pam.d/sshd' and add following line after last 'session required' line
- session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
-
- Note that this creates only last folder. Thus if home folder is /home/group1/user1 and if /home/group1 folder does not exists then the home folder creation will fail. To solve this to some extent use following command:
- ldapsearch -x -h ldap.sbarjatiya.com -b 'dc=sbarjatiya,dc=com' -LLL homeDirectory | grep homeDirectory | sed 's/\/[^\/]*$//g' | sort | uniq -d | sed 's/homeDirectory: //g'
-
- To get list of base folders that must exist for user home folders to be created. Further the output of above command can be piped to "| xargs mkdir -p" for automated folder creation.
- Note that this creates only last folder. Thus if home folder is /home/group1/user1 and if /home/group1 folder does not exists then the home folder creation will fail. To solve this to some extent use following command:
- Edit '/etc/nsswitch.conf' and for 'hosts' choose value 'files ldap dns'
- Note that you should not see sss anywhere in this file. If you see sss instead of ldap then you have forgotten to remove sssd as mentioned earlier in these steps
- Use 'service nscld restart'
- Do 'chkconfig nslcd on'
Most of this can be done using single line:
authconfig --enableldap --enableldapauth --ldapserver=ldap.sbarjatiya.com --ldapbasedn="ou=Users,dc=sbarjatiya,dc=com" --enablelocauthorize --enablepamaccess --enablemkhomedir --enablecachecreds --enablecache --updateall
On Fedora-20, CentOS 7 or CentOS 6.7 etc. one may need to do following additional steps:
- Remove dependency on sss from pam
- cd /etc/pam.d; sed -i 's/^.*sss.*$//g' *
-
- Also add this line to /etc/rc.d/rc.local so that regenrated pam files are again modified
- Remove all references to sss from /etc/nsswitch.conf. Add ldap at least for passwd, shadow and group after files.
- Disable SELinux (Esp for GUI logins)
Verifying setup
To verify whether authentication setup is working or not try commands:
getent hosts getent passwd getent group getent shadow
One can also read '/var/log/messages' and '/var/log/secure' while trying to login from a ldap user, if configuration does not seem to succeed.
Restricting logins to specific users and posixGroups
To restrict logins on a machine to specific users or posixGroups use:
- Edit file '/etc/pam.d/sshd' and add following line
- auth required pam_access.so
- Edit file '/etc/security/access.conf' and add line similar to:
- - : ALL EXCEPT root (admin) : ALL
An access.conf configuration line has three parameters separated by :
- First '+' or '-' to indicate whether to allow or deny
- Second list of users and groups. Group names can be enclosed in round brackets () to be more explicit that given name is of group. We can also use word ALL to indicate ALL. We can also use word EXCEPT to create exceptions from ALL for specific users and groups.
- Third is the location from where when user logins should this rule apply.
Read the comments in file '/etc/security/access.conf' to understand use of access.conf in better way.
Password change
If user tries to ssh or login using credentials then he/she would be forced to change password on first login. During password change user would be asked for existing ldap password again through which user has logged in. Then user would have option of entering new password twice. After password is set user would be logged off automatically. Then user can login again by using ssh and entering new password.
Mediawiki Authentication
Refer Mediawiki Authentication using ldap
Squid proxy authentication
To enable ldap based authentication for squid use:
Earlier name of authentication plugin was squid_ldap_auth. On older installations replace basic_ldap_auth with squid_ldap_auth appropriately.
- First find location of program named 'basic_ldap_auth' and run it as follows:
- /usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server>
- The command will not give any prompt and expect '<username> <password>' as input.
- If the after supply username and password the response is ok, then ldap authentication from proxy server is working properly, else debug ldap issues
- Edit squid.conf and add following lines:
- acl login-users src <IP-range>
- auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "<base-dn>" -f "uid=%s" -h <ldap-server>
- acl ldapauth proxy_auth REQUIRED
- http_access allow login-users ldapauth
- This would cause all users connecting from given IP-range to be authenticated. For others one can use 'http_access allow all' or 'http_access deny all' etc. based on situation.
In case of LDAPS use -H ldaps://<server>:<port> instead of -h and ensure that CA certificate is mentioned in /etc/openldap/ldap.conf file using TLS_CACERT directive.
Quick Linux host authentication using LDAP without using setup or authconfig
- yum -y remove sssd
- Edit /etc/nslcd.conf
- Change uri, base. (Example uri ldap://ldap.sbarjatiya.com/ Note if FQDN is used then add corresponding entry to /etc/hosts. Or use IP address)
- Append following lines
ssl off timelimit 10 idle_timelimit 30 reconnect_sleeptime 30 reconnect_retrytime 90
- Edit /etc/nssswitch.conf and change passwd, group, shadow, hosts to use ldap (Example value "files ldap" without quotes)
- Edit /etc/openldap/ldap.conf and append values for BASE, URI same as done for /etc/nslcd.conf
- Edit /etc/pam.d/fingerprint-auth-ac to authenticate with LDAP
- Edit /etc/pam.d/password-auth-ac to authenticate with LDAP
- Edit /etc/pam.d/smartcard-auth-ac to authenticate with LDAP
- Edit /etc/pam.d/system-auth-ac to authenticate with LDAP
- Edit /etc/pam.d/sshd to authenticate with LDAP
- Use commands
rm -f /etc/pam.d/fingerprint-auth rm -f /etc/pam.d/password-auth rm -f /etc/pam.d/smartcard-auth rm -f /etc/pam.d/system-auth ln -s /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth ln -s /etc/pam.d/password-auth-ac /etc/pam.d/password-auth ln -s /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth ln -s /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
- Edit /etc/pam_ldap.conf
- Replace values for host and base (Example host ldap.sbarjatiya.com. Again if FQDN is used add corresponding entry in /etc/hosts or use IP instead)
- Also append (Example <uri> ldap://ldap.sbarjatiya.com/)
uri <uri> ssl off pam_password md5
- Use commands
service nslcd restart chkconfig nslcd on
- Verify as mentioned at #Verifying_setup
Converting quick host authentication to use TLS
- Edit /etc/nslcd.conf
- change URI to ldaps://ldap.sbarjatiya.com/
- Add following config lines
tls_reqcert hard tls_cacertfile /etc/openldap/certs/ca.crt
- Edit /etc/pam_ldap.conf
- Ensure host entry points to FQDN and not to IP
- Update file so that
uri ldaps://ldap.sbarjatiya.com ssl on pam_password md5 tls_cacertfile /etc/openldap/certs/ca.crt
- Edit /etc/openldap/ldap.conf and ensure
BASE dc=sbarjatiya,dc=com URI ldaps://ldap.sbarjatiya.com/ TLS_CACERT /etc/openldap/certs/ca.crt
- Ensure /etc/hosts can resolve FQDN (ldap.sbarjatiya.com) to IP, in case corresponding DNS entry is not present
- Copy certificates to /etc/openldap/certs and update permission using:
chown -R ldap:ldap /etc/openldap/certs/ chmod 755 /etc/openldap/certs/ca.crt
- Note that ca.crt should be readable by nslcd
- Deleted old cn=config format entries and create new ones using (These steps can take considerable time):
rm -rf /etc/openldap/slapd.d/* slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ -u ldap -h 'ldaps://ldap.sbarjatiya.com/' service slapd restart
- service nslcd restart
- Verify using
ldapsearch -x -LLL #Should work ldapsearch -x -LLL -ZZ #Should fail because TLS already started ldapsearch -x -LLL -H ldap://ldap2.rekall.com/ #Should fails as cannot connect to port 389 ldapsearch -x -LLL -H ldaps://ldap2.rekall.com/ #Should work getent hosts getent passwd
Automated LDAP client configuration using ansible
For automated LDAP client configuration for OS where LDAP users might also login using GUI use automation described at Configure machines as LDAP client for graphical LDAP user login
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Authentication through LDAP