LDAP

From Amahi Wiki
Jump to: navigation, search

Contents

Install prerequisites

yum -y install openldap openldap-servers openldap-clients migrationtools

Update slapd.conf

DOMAIN=`mysql -u root -phda -e "select value from settings where name = 'domain'" hda_production | grep -v value`
SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`

cd /etc/openldap

mv slapd.conf.bak slapd.conf
POS=`grep -n "# allow onl. rootdn to read the monitor" slapd.conf | awk -F':' '{print $1}'`
head -n `echo $POS-1|bc` slapd.conf > slapd.conf.new && mv -f slapd.conf.new slapd.conf

sed --in-place -e "s/suffix.*.dc=my-domain,dc=com./suffix \"$SUFFIX\"/" slapd.conf
sed --in-place -e "s/rootdn.*.cn=Manager,dc=my-domain,dc=com./rootdn \"cn=root,$SUFFIX\"/" slapd.conf
sed --in-place -e "s/# rootpw.*crypt.*/rootpw {MD5}ISMvKXpXpadDiUoOSoAfww==\npassword-hash {crypt}\npassword-crypt-salt-format \"\$1\$%.8s\"/" slapd.conf

cat >> slapd.conf <<'EOF'

access to dn.regex=".*,$SUFFIX" attrs=userPassword
 by dn="cn=root,$SUFFIX" write
 by self write
 by * auth

access to dn.regex=".*,$SUFFIX" attrs=mail
 by dn="cn=root,$SUFFIX" write
 by self write
 by * read

access to dn.regex=".*,ou=People,$SUFFIX"
 by * read

access to dn.regex=".*,$SUFFIX"
 by self write
 by * read

EOF
sed --in-place -e "s/\$SUFFIX/$SUFFIX/" slapd.conf

Add authorizedService schema

cat > /etc/openldap/schema/ldapns.schema <<'EOF'

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
 DESC 'IANA GSS-API authorized service name'
 EQUALITY caseIgnoreMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
 DESC 'Auxiliary object class for adding authorizedService attribute'
 SUP top
 AUXILIARY
 MAY authorizedService )

EOF

echo "include /etc/openldap/schema/ldapns.schema" >> slapd.conf

Setup DB_CONFIG

cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

Disable slap.d config files

mv slapd.d slapd.d.orig

Start service

chown -R ldap:ldap .
service slapd start
chkconfig slapd on

Import base schema

/usr/share/migrationtools/migrate_base.pl > base.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" base.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f base.ldif

If you only want to use LDAP as an address book, you're done.

Just find a way to insert entries in your LDAP server, and you'll be able to use it in your email clients as your address book.

If you want to use LDAP to control who can use SSH, web-applications, etc. continue below.

Import Linux accounts details in schema

/usr/share/migrationtools/migrate_hosts.pl /etc/hosts hosts.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" hosts.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f hosts.ldif

Error is fine. Duplicate names for IPv6 probably...

/usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
vi group.ldif # Remove all system groups; keep 'users' etc.
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" group.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f group.ldif

ETC_SHADOW=/etc/shadow /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif
vi passwd.ldif # Remove all system users; keep only 'real' users
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" passwd.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif

Setup LDAP client on the HDA

sed --in-place -e "s/#host 127.0.0.1/host hda.home.com/" /etc/ldap.conf
sed --in-place -e "s/base dc=example,dc=com/base $SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#rootbinddn cn=manager,dc=example,dc=com/rootbinddn cn=root,$SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#scope one/scope one/" /etc/ldap.conf
sed --in-place -e "s/#pam_filter objectclass=account/pam_filter objectclass=posixaccount/" /etc/ldap.conf
sed --in-place -e "s/#pam_login_attribute uid/pam_login_attribute uid/" /etc/ldap.conf
sed --in-place -e "s/#pam_member_attribute uniquemember/pam_member_attribute gid/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_passwd.*ou=People,dc=example,dc=com.*/nss_base_passwd ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_shadow.*ou=People,dc=example,dc=com.*/nss_base_shadow ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_group.*ou=Group,dc=example,dc=com.*/nss_base_group ou=Group,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_hosts.*ou=Hosts,dc=example,dc=com.*/nss_base_hosts ou=Hosts,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#pam_check_service_attr yes/pam_check_service_attr yes/" /etc/ldap.conf

echo admin > /etc/ldap.secret
chown root:root /etc/ldap.secret
chmod 600 /etc/ldap.secret

sed --in-place -e "s/^passwd:.*/passwd: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^shadow:.*/shadow: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^hosts:.*/hosts: files ldap dns mdns/" /etc/nsswitch.conf

Change a LDAP user to use authorizedService

For a specific user to be authorized or not on specific services, you need to add an objectClass to it's LDAP object, like this:

cat > authorizedService.ldif <<'EOF'

dn: uid=some_user,ou=People,dc=home,dc=com
changetype: modify
add: objectclass
objectclass: authorizedServiceObject

EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f authorizedService.ldif

Replace uid=some_user with the Linux username you want to modify.

Allow a user SSH access

cat > give_ssh_access.ldif <<'EOF'

dn: uid=some_user,ou=People,dc=home,dc=com
changetype: modify
add: authorizedService
authorizedService: sshd

EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_ssh_access.ldif

Replace uid=some_user with the Linux username you want to modify.

TODO: Need to document how to tell the SSH daemon (server) to use LDAP authorizedService property to control who can login...

Control a web-application access using LDAP

The procedure below will allow you to use Linux user accounts to allow or deny access to specific web-applications.
Note that this level of authentication will not replace the web-app login, if any (there are exceptions). It will prevent or allow specific users to reach the web-app homepage.

cat > give_webapp_access.ldif <<'EOF'

dn: uid=some_user,ou=People,dc=home,dc=com
changetype: modify
add: authorizedService
authorizedService: webapp-some_name

EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_webapp_access.ldif

Replace uid=some_user with the Linux username you want to modify, and some_name with the name of the web-app you want to protect (for example, authorizedService: webapp-bookmarks).

You'll also need to modify the httpd conf for the web-app you want to protect.
You'll find it in /etc/httpd/conf.d/xxxx-web_app_name.conf
In this file, remove the following two lines:

Order allow,deny
Allow from all

And replace them with those lines:

Deny from all
Order deny,allow
AllowOverride None
AuthType Basic
AuthName LDAP
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://127.0.0.1/dc=home,dc=com?uid?sub?(authorizedService=webapp-some_name)
require valid-user
satisfy any
AuthLDAPBindDN "cn=root,dc=home,dc=com"
AuthLDAPBindPassword "admin"

Replace some_name with the name of the web-app you want to protect (for example, authorizedService: webapp-bookmarks). Make sure to use the same string as you used in give_webapp_access.ldif above.