LDAP

From Netsoc Wiki
(Redirected from Ldap)
Jump to: navigation, search

slapd is running on the LDAP vm on cube.

Connecting a new machine to LDAP

Connect to LDAP VPN

See here for details VPN

Create a service user to bind LDAP as

In ipython on cube's LDAP vm:

In [179]: s = Service.create(cn='login-newserver')                                                 
Creating cn=login-newserver,ou=Service,dc=netsoc,dc=tcd,dc=ie of type Service
Generated password 'xxxxxx' for login-newserver

Take note of the generated password.

Install required packages

aptitude -y install libnss-ldap libpam-ldap ldap-utils

It will give you a load of prompts - just ignore them, we'll write our config manually.

Install config files

/etc/libnss-ldap.conf

replace binddn and bindpw appropriately

# The distinguished name of the search base.
base dc=netsoc,dc=tcd,dc=ie

uri ldap://vpn.ldap.netsoc.tcd.ie

ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Please do not put double quotes around it as they
# would be included literally.
binddn cn=login-newserver,ou=Service,dc=netsoc,dc=tcd,dc=ie

# Password in cleartext, for all to see :P
# This account only gives read-only access, strictly less than 
# the access of anyone who can read this file.
bindpw xxxxx

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
#bind_policy hard

# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
pam_member_attribute member

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX    base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=User,dc=netsoc,dc=tcd,dc=ie?one 
nss_base_group ou=Group,dc=netsoc,dc=tcd,dc=ie?sub
#nss_base_shadow  ou=People,dc=padl,dc=com?one
#nss_base_hosts      ou=Hosts,dc=padl,dc=com?one
#nss_base_services   ou=Services,dc=padl,dc=com?one
#nss_base_networks   ou=Networks,dc=padl,dc=com?one
#nss_base_protocols  ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc     ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers  ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks   ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup   ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute   rfc2307attribute  mapped_attribute
#nss_map_objectclass rfc2307objectclass   mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute uniqueMember member

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

/etc/pam_ldap.conf

Again, replace binddn and bindpw

# The distinguished name of the search base.
base dc=netsoc,dc=tcd,dc=ie
uri ldap://vpn.ldap.netsoc.tcd.ie

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=login-newserver,ou=Service,dc=netsoc,dc=tcd,dc=ie

# Password in cleartext, for all to see :P
# This account only gives read-only access, strictly less than 
# the access of anyone who can read this file.
bindpw xxxx



# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
pam_member_attribute member

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

pam_password exop


# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX    base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd  ou=People,dc=padl,dc=com?one
#nss_base_shadow  ou=People,dc=padl,dc=com?one
#nss_base_group      ou=Group,dc=padl,dc=com?one
#nss_base_hosts      ou=Hosts,dc=padl,dc=com?one
#nss_base_services   ou=Services,dc=padl,dc=com?one
#nss_base_networks   ou=Networks,dc=padl,dc=com?one
#nss_base_protocols  ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc     ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers  ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks   ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup   ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute   rfc2307attribute  mapped_attribute
#nss_map_objectclass rfc2307objectclass   mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member


# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

/etc/nsswitch.conf

edit the passwd: and group: lines so that they read:

passwd:         files ldap 
group:          files ldap

/etc/pam.d/common-password

edit this line:

password     [success=1 user_unknown=ignore default=die] use_authtok pam_ldap.so try_first_pass

to:

password     [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass

(remove use_authtok)

/etc/pam.d/common-session

add

session optional        pam_mkhomedir.so skel=/etc/skel umask=077

so that homedirs get created when a user logs in fr the first time.

Limit login to users in a certain group

If you want to limit login to eg: users in the group testgroup, you have to edit config files:

/etc/libnss-ldap.conf

Change

pam_filter objectclass=posixAccount

to

pam_filter  &(objectclass=posixAccount)(memberOf=cn=testgroup,ou=Privilege,ou=Group,dc=netsoc,dc=tcd,dc=ie)

and

nss_base_passwd ou=User,dc=netsoc,dc=tcd,dc=ie?one

to

nss_base_passwd ou=User,dc=netsoc,dc=tcd,dc=ie?one?memberOf=cn=testgroup,ou=Privilege,ou=Group,dc=netsoc,dc=tcd,dc=ie

/etc/pam_ldap.conf

Change

#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

to

pam_groupdn cn=testgroup,ou=Privilege,ou=Group,dc=netsoc,dc=tcd,dc=ie

Edit /etc/init.d/nscd init script

This needs to be done to ensure that openvpn starts up early enough during boot. If it isn't done, it slows down booting, and generates a bunch of error messages about being unable to bind LDAP (as openvpn isn't started, therefore we cannot contact the LDAP server yet).

Add openvpn to the Required-Start line, like so:

# Required-Start:    $remote_fs $syslog openvpn 

User accessible machine specific stuff

Install nd

Install dependencies

aptitude install python-ldap 

Install nd itself

Install nd from git in /usr/local

cd /usr/local
git clone https://github.com/netsoc/nd.git

Add it to the global PYTHONPATH, by editing /etc/python2.$ver/sitecustomize.py, and adding:

import sys
sys.path += ['/usr/local/nd']

Special Shells

copy over /opt/netsoc/messages from any existing netsoc machine
copy over /usr/local/special_shells/accept_AUP (the rest aren't used, they are covered in the sshd_config below with the messages above)

edit /etc/shells and add:

/usr/local/special_shells/accept_AUP

/etc/ssh/sshd_config

Add this to the end:

# Netsoc-specific: Disabled user accounts get a message as to why they were disabled
Match Group bold
Banner /opt/netsoc/messages/bold
ForceCommand /bin/false
AllowTCPForwarding no
GatewayPorts no
MaxAuthTries 1

Match Group dead
Banner /opt/netsoc/messages/dead
ForceCommand /bin/false
AllowTCPForwarding no
GatewayPorts no
MaxAuthTries 1

Match Group expired
Banner /opt/netsoc/messages/expired
ForceCommand /bin/false
AllowTCPForwarding no
GatewayPorts no
MaxAuthTries 1

Match Group renew
Banner /opt/netsoc/messages/renew
ForceCommand /bin/false
AllowTCPForwarding no
GatewayPorts no
MaxAuthTries 1

chsh

Copy over the chsh script from /usr/local/$machine/bin to /usr/local/$newmachine/bin, and edit /etc/profile to add it to user's PATH

Quotas

???

Limit su to users in wheel

edit /etc/group, and add admins usernames to wheel


edit /etc/pam.d/su, uncomment

auth       required   pam_wheel.so

References

Much of this was derived from http://www.server-world.info/en/note?os=Debian_7.0&p=ldap&f=2

See Also: nd VPN