Changes

6,314 bytes added , 03:34, 18 June 2017

no edit summary

__NOTOC__

==Contents==

<ol>

<li class="toclevel-1">[[#Install_prerequisites|Install prerequisites]]</li>

<li class="toclevel-1">[[#Update_slapd.conf|Update slapd.conf]]</li>

<li class="toclevel-1">[[#Add_authorizedService_schema|Add authorizedService schema]]</li>

<li class="toclevel-1">[[#Setup_DB_CONFIG|Setup DB_CONFIG]]</li>

<li class="toclevel-1">[[#Disable_slap.d_config_files|Disable slap.d config files]]</li>

<li class="toclevel-1">[[#Start_service|Start service]]</li>

<li class="toclevel-1">[[#Import_base_schema|Import base schema]]</li>

<li class="toclevel-1">[[#Import_Linux_accounts_details_in_schema|Import Linux accounts details in schema]]</li>

<li class="toclevel-1">[[#Setup_LDAP_client_on_the_HDA|Setup LDAP client on the HDA]]</li>

<li class="toclevel-1">[[#Change_a_LDAP_user_to_use_authorizedService|Change a LDAP user to use authorizedService]]</li>

<li class="toclevel-1">[[#Allow_a_user_SSH_access|Allow a user SSH access]]</li>

<li class="toclevel-1">[[#Control_a_web-application_access_using_LDAP|Control a web-application access using LDAP]]</li>

</ol>

==Install prerequisites==

==Update slapd.conf==

DOMAIN=`mysql -~~u amahihda~~ uroot -~~pAmahiHDARulez~~ phda -e "select value from settings where name = 'domain'" hda_production | grep -v value`<br/>

SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`<br/>

<br/>

ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif

</div>

==Setup LDAP client on the HDA==

sed --in-place -e "s/#host 127.0.0.1/host hda.home.com/" /etc/ldap.conf<br/>

sed --in-place -e "s/base dc=example,dc=com/base $SUFFIX/" /etc/ldap.conf<br/>

sed --in-place -e "s/#rootbinddn cn=manager,dc=example,dc=com/rootbinddn cn=root,$SUFFIX/" /etc/ldap.conf<br/>

sed --in-place -e "s/#scope one/scope one/" /etc/ldap.conf<br/>

sed --in-place -e "s/#pam_filter objectclass=account/pam_filter objectclass=posixaccount/" /etc/ldap.conf<br/>

sed --in-place -e "s/#pam_login_attribute uid/pam_login_attribute uid/" /etc/ldap.conf<br/>

sed --in-place -e "s/#pam_member_attribute uniquemember/pam_member_attribute gid/" /etc/ldap.conf<br/>

sed --in-place -e "s/#nss_base_passwd.*ou=People,dc=example,dc=com.*/nss_base_passwd ou=People,$SUFFIX?one/" /etc/ldap.conf<br/>

sed --in-place -e "s/#nss_base_shadow.*ou=People,dc=example,dc=com.*/nss_base_shadow ou=People,$SUFFIX?one/" /etc/ldap.conf<br/>

sed --in-place -e "s/#nss_base_group.*ou=Group,dc=example,dc=com.*/nss_base_group ou=Group,$SUFFIX?one/" /etc/ldap.conf<br/>

sed --in-place -e "s/#nss_base_hosts.*ou=Hosts,dc=example,dc=com.*/nss_base_hosts ou=Hosts,$SUFFIX?one/" /etc/ldap.conf<br/>

sed --in-place -e "s/#pam_check_service_attr yes/pam_check_service_attr yes/" /etc/ldap.conf

echo admin > /etc/ldap.secret<br/>

chown root:root /etc/ldap.secret<br/>

chmod 600 /etc/ldap.secret

sed --in-place -e "s/^passwd:.*/passwd: files ldap/" /etc/nsswitch.conf<br/>

sed --in-place -e "s/^shadow:.*/shadow: files ldap/" /etc/nsswitch.conf<br/>

sed --in-place -e "s/^hosts:.*/hosts: files ldap dns mdns/" /etc/nsswitch.conf

</div>

==Change a LDAP user to use authorizedService==

For a specific user to be authorized or not on specific services, you need to add an objectClass to it's LDAP object, like this:

cat > authorizedService.ldif <<'EOF'<br/>

dn: uid=some_user,ou=People,dc=home,dc=com

changetype: modify

add: objectclass

objectclass: authorizedServiceObject

EOF<br/>

ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f authorizedService.ldif

</div>

Replace '''uid=some_user''' with the Linux username you want to modify.

==Allow a user SSH access==

cat > give_ssh_access.ldif <<'EOF'<br/>

dn: uid=some_user,ou=People,dc=home,dc=com

changetype: modify

add: authorizedService

authorizedService: sshd

EOF<br/>

ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_ssh_access.ldif

</div>

Replace '''uid=some_user''' with the Linux username you want to modify.

'''TODO''': Need to document how to tell the SSH daemon (server) to use LDAP authorizedService property to control who can login...

==Control a web-application access using LDAP==

The procedure below will allow you to use Linux user accounts to allow or deny access to specific web-applications.<br/>

Note that this level of authentication '''will not replace''' the web-app login, if any (there are exceptions). It will prevent or allow specific users to reach the web-app homepage.

cat > give_webapp_access.ldif <<'EOF'<br/>

dn: uid=some_user,ou=People,dc=home,dc=com

changetype: modify

add: authorizedService

authorizedService: webapp-some_name

EOF<br/>

ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_webapp_access.ldif

</div>

Replace '''uid=some_user''' with the Linux username you want to modify, and '''some_name''' with the name of the web-app you want to protect (for example, ''authorizedService: webapp-bookmarks'').

You'll also need to modify the httpd conf for the web-app you want to protect.<br/>

You'll find it in ''/etc/httpd/conf.d/xxxx-web_app_name.conf''<br/>

In this file, remove the following two lines:

Order allow,deny<br/>

Allow from all

</div>

And replace them with those lines:

Deny from all<br/>

Order deny,allow<br/>

AllowOverride None<br/>

AuthType Basic<br/>

AuthName LDAP<br/>

AuthBasicAuthoritative off<br/>

AuthBasicProvider ldap<br/>

AuthzLDAPAuthoritative on<br/>

AuthLDAPURL ldap://127.0.0.1/dc=home,dc=com?uid?sub?(authorizedService=webapp-some_name)<br/>

require valid-user<br/>

satisfy any<br/>

AuthLDAPBindDN "cn=root,dc=home,dc=com"<br/>

AuthLDAPBindPassword "admin"

</div>

Replace '''some_name''' with the name of the web-app you want to protect (for example, ''authorizedService: webapp-bookmarks''). Make sure to use the same string as you used in ''give_webapp_access.ldif'' above.

Bigfoot65

Trusted, Bureaucrats, Administrators

12,424

edits

Amahi Wiki

Links

Personal tools

Navigation

Tools

Changes

LDAP (view source)

Revision as of 03:34, 18 June 2017