Diff for /wikisrc/tutorials/openldap_authentication_on_netbsd.mdwn between versions 1.2 and 1.3

version 1.2, 2012/02/05 07:14:36 version 1.3, 2014/05/31 17:49:28
Line 19  An example config file is included in th Line 19  An example config file is included in th
     nis.schema      nis.schema
           
   
 These are (in pkgsrc-2008Q2) installed in ${LOCALBASE}/share/examples/openldap/schema, and can just be included from there, and tells the server which record keys (as in key-value pairs) it shall accept.   These are (in pkgsrc-2014Q1) installed in ${LOCALBASE}/share/examples/openldap/schema, and can just be included from there, and tells the server which record keys (as in key-value pairs) it shall accept. 
   
 And that really is it for the server bit. Next comes testing it out with a few ldap commands.   And that really is it for the server bit. Next comes testing it out with a few ldap commands. 
   
 The basic commands of talking directly with the ldap database are ldapadd, ldapmodify and ldapsearch. These are in the openldap-client package, so you won't have to install the entire server on a client machine.   The basic commands of talking directly with the ldap database are ldapadd, ldapmodify and ldapsearch. These are in the openldap-client package, so you won't have to install the entire server on a client machine. 
   
 Options you'll be using alot like -b (base) and -H (host URI) can conveninently be stuck in a client configuration file, ${LOCALBASE}/etc/openldap/ldap.conf, which will save you time and aggravation from having to type them all the time.   Options you'll be using alot like -b (base) and -H (host URI) can conveninently be stuck in a client configuration file, ${PKG_SYSCONFBASE}/openldap/ldap.conf, which will save you time and aggravation from having to type them all the time. 
   
 To talk to your ldap server, try running ldapsearch;   To talk to your ldap server, try running ldapsearch; 
           
Line 131  and  Line 131  and 
     databases/nss_ldap      databases/nss_ldap
           
           
   The latest version of these packages (pkgrsc-2014Q2 and newer) will automatically created the necessary symbolic links in /usr/lib and /usr/lib/security to be able to use these modules. For older version you will have create a symbolic link from /usr/lib/nss_ldap.so.0 to ${LOCALBASE}/lib/nss_ldap.so.1 and from /usr/lib/security/pam_ldap.so to ${LOCALBASE}/lib/security/pam_ldap.so
 Once these are installed, you can either link them, copy or use in place from ${LOCALBASE}/lib and ${LOCALBASE}/lib/security into /usr/lib and /usr/lib/security respectively. I prefer to use symbolic links because then any upgrade I make will automatically have the latest version already in place.   
   
 Before we go any further, I'd like to introduce some security into the mix; up til now we've talked to the ldap server without any limitations and what's called anonymous binds, i.e. not logged in.   Before we go any further, I'd like to introduce some security into the mix; up til now we've talked to the ldap server without any limitations and what's called anonymous binds, i.e. not logged in. 
   
Line 172  Note that the traffic between the ldap c Line 171  Note that the traffic between the ldap c
   
 This user will be used for ACL filtering later.   This user will be used for ACL filtering later. 
   
 Next we'll need to configure the LDAP part of the plugins, a convenience here is that since both the plugins are made by the same people, they can share a configuration file. They will look for ${LOCALBASE}/etc/nss_ldap.conf and ${LOCALBASE}/etc/pam_ldap.conf, but linking them to the same file will let you have just one place to configure (and protect for your ldap user password)   Next we'll need to configure the LDAP part of the plugins, a convenience here is that since both the plugins are made by the same people, they can share a configuration file. They will look for ${PKG_SYSCONFBASE}/nss_ldap.conf and ${PKG_SYSCONFBASE}/pam_ldap.conf, but linking them to the same file will let you have just one place to configure (and protect for your ldap user password) 
   
 The important bits in this file is the base setting and the uri for your ldap server:   The important bits in this file is the base setting and the uri for your ldap server: 
           
Line 187  Next we need to tell it who it should co Line 186  Next we need to tell it who it should co
     binddn cn=nss,dc=example,dc=org      binddn cn=nss,dc=example,dc=org
           
           
     bindpw unencrypted-password  
       
   
 And if you want to be able to change passwords as root without knowing the user's password in advance (with passwd, using ldapmodify you can still just set it, if you bind with the credentials to do it (see ACLs).)   And if you want to be able to change passwords as root without knowing the user's password in advance (with passwd, using ldapmodify you can still just set it, if you bind with the credentials to do it (see ACLs).) 
   
 I haven't mentioned this user before, it's the database's root user, allowed to do anything;   I haven't mentioned this user before, it's the database's root user, allowed to do anything; 
Line 197  I haven't mentioned this user before, it Line 193  I haven't mentioned this user before, it
     rootbinddn cn=root,dc=example,dc=org      rootbinddn cn=root,dc=example,dc=org
           
   
 The password for this will not be in this file, but in a separate file called ${LOCALBASE}/etc/nss_ldap.secret or for pam; ${LOCALBASE}/etc/pam_ldap.secret   The password for this will not be in this file, but in a separate file called ${PKG_SYSCONFBASE}/nss_ldap.secret or for pam; ${PKG_SYSCONFBASE}/pam_ldap.secret 
   
   * ) not sure about this, but my system has both, linked together     * ) not sure about this, but my system has both, linked together 
   
Line 228  To  Line 224  To 
     group:      files ldap      group:      files ldap
     ...      ...
     passwd:     files ldap      passwd:     files ldap
           ...
       netgroup:   files ldap
   
 This will enable you to have local accounts as well as ldap users. You could test this out now, by running the getent program;   This will enable you to have local accounts as well as LDAP users. You could test this out now, by running the getent program; 
           
     % getent group      % getent group
           
Line 250  On my system I have the following change Line 247  On my system I have the following change
   
 ##  /etc/pam.d/sshd   ##  /etc/pam.d/sshd 
           
     # $NetBSD: openldap_authentication_on_netbsd.mdwn,v 1.1 2011/11/20 21:35:54 mspo Exp $  
     #      #
     # PAM configuration for the "sshd" service      # PAM configuration for the "sshd" service
     #      #
             
     # auth      # auth
     auth            required        pam_nologin.so  no_warn      auth            required        pam_nologin.so  no_warn
     auth            sufficient      pam_ldap.so  
     auth            sufficient      pam_krb5.so     no_warn try_first_pass      auth            sufficient      pam_krb5.so     no_warn try_first_pass
       auth            sufficient      pam_ldap.so     no_warn try_first_pass
     # pam_ssh has potential security risks.  See pam_ssh(8).      # pam_ssh has potential security risks.  See pam_ssh(8).
     #auth           sufficient      pam_ssh.so      no_warn try_first_pass      #auth           sufficient      pam_ssh.so      no_warn try_first_pass
     auth            required        pam_unix.so     no_warn try_first_pass      auth            required        pam_unix.so     no_warn try_first_pass
             
     # account      # account
     account         required        pam_krb5.so      account         required        pam_krb5.so
     account         sufficient      pam_ldap.so  
     account         required        pam_login_access.so      account         required        pam_login_access.so
     account         required        pam_unix.so      account         required        pam_unix.so
             
     # session      # session
     # pam_ssh has potential security risks.  See pam_ssh(8).      # pam_ssh has potential security risks.  See pam_ssh(8).
     #session        optional        pam_ssh.so      #session        optional        pam_ssh.so
     session         sufficient      pam_ldap.so  
     session         required        pam_permit.so      session         required        pam_permit.so
             
     # password      # password
     password        sufficient      pam_krb5.so     no_warn try_first_pass      password        sufficient      pam_krb5.so     no_warn try_first_pass
     password        sufficient      pam_ldap.so      password        sufficient      pam_ldap.so     no_warn try_first_pass
     password        required        pam_unix.so     no_warn try_first_pass      password        required        pam_unix.so     no_warn try_first_pass
           
   
 ##  /etc/pam.d/su   ##  /etc/pam.d/su 
           
     # $NetBSD: openldap_authentication_on_netbsd.mdwn,v 1.1 2011/11/20 21:35:54 mspo Exp $  
     #      #
     # PAM configuration for the "su" service      # PAM configuration for the "su" service
     #      #
             
     # auth      # auth
     auth            sufficient      pam_ldap.so  
     auth            sufficient      pam_rootok.so           no_warn      auth            sufficient      pam_rootok.so           no_warn
     auth            sufficient      pam_self.so             no_warn      auth            sufficient      pam_self.so             no_warn
     auth            sufficient      pam_ksu.so              no_warn try_first_pass      auth            sufficient      pam_ksu.so              no_warn try_first_pass
     auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe  
     #auth           sufficient      pam_group.so            no_warn group=rootauth root_only fail_safe authenticate      #auth           sufficient      pam_group.so            no_warn group=rootauth root_only fail_safe authenticate
       auth            requisite       pam_group.so            no_warn group=wheel root_only fail_safe
       auth            sufficient      pam_ldap.so             no_warn try_first_pass
     auth            required        pam_unix.so             no_warn try_first_pass nullok      auth            required        pam_unix.so             no_warn try_first_pass nullok
             
     # account      # account
Line 307  On my system I have the following change Line 300  On my system I have the following change
   
 ##  /etc/pam.d/system   ##  /etc/pam.d/system 
           
     # $NetBSD: openldap_authentication_on_netbsd.mdwn,v 1.1 2011/11/20 21:35:54 mspo Exp $      # $NetBSD: openldap_authentication_on_netbsd.mdwn,v 1.2 2012/02/05 07:14:36 schmonz Exp $
     #      #
     # System-wide defaults      # System-wide defaults
     #      #
             
     # auth      # auth
     auth            sufficient      pam_ldap.so  
     auth            sufficient      pam_krb5.so             no_warn try_first_pass      auth            sufficient      pam_krb5.so             no_warn try_first_pass
       auth            sufficient      pam_ldap.so             no_warn try_first_pass
     auth            required        pam_unix.so             no_warn try_first_pass nullok      auth            required        pam_unix.so             no_warn try_first_pass nullok
             
     # account      # account
     account         sufficient      pam_ldap.so  
     account         required        pam_krb5.so      account         required        pam_krb5.so
     account         required        pam_unix.so      account         required        pam_unix.so
           
     # session      # session
     session         sufficient      pam_ldap.so  
     session         required        pam_lastlog.so          no_fail no_nested      session         required        pam_lastlog.so          no_fail no_nested
             
     # password      # password
     password        sufficient      pam_ldap.so      password        sufficient      pam_krb5.so             no_warn try_first_pass
     password        sufficient      pam_krb5.so             try_first_pass      password        sufficient      pam_ldap.so             no_warn try_first_pass
     password        sufficient      pam_unix.so             try_first_pass      password        sufficient      pam_unix.so             no_warn try_first_pass
     password        required        pam_deny.so             prelim_ignore      password        required        pam_deny.so             prelim_ignore
           
   
Line 354  In order to do this you will need to cre Line 345  In order to do this you will need to cre
   
 We'll also need to configure slapd to use it, I put my keys in the /etc/openssl hierachy, since it seemed made for it.   We'll also need to configure slapd to use it, I put my keys in the /etc/openssl hierachy, since it seemed made for it. 
           
     TLSCipherSuite          HIGH:MEDIUM:+SSLv2      TLSCipherSuite          HIGH
     TLSCertificateFile      /etc/openssl/certs/openldap.pem      TLSCertificateFile      /etc/openssl/certs/openldap.pem
     TLSCertificateKeyFile   /etc/openssl/private/openldap.pem      TLSCertificateKeyFile   /etc/openssl/private/openldap.pem
     TLSCACertificateFile    /etc/openssl/certs/openldap.pem      TLSCACertificateFile    /etc/openssl/certs/openldap.pem
           
   
 And we'll also have to change the way slapd is started, so add this to your /etc/rc.conf   Next we'll need to change the clients setup so that they will use encryption. Enable ssl in ${PKG_SYSCONFBASE}/{nss_,pam_}ldap.conf; 
       
     slapd_flags="-h ldaps://"  
       
   
 Note that this will make slapd answer only to ldaps!   
   
 Next we'll need to change the clients setup so that they will use ldaps. Enable ssl in ${LOCALBASE}/etc/{nss_,pam_}ldap.conf;   
       
     ssl on  
           
       ssl start_tls
   
 Next if you're like me using the ${LOCALBASE}/etc/openldap/ldap.conf file, telling the client libs where to find the cert file is enough, we don't have to put it in the nss/pam config:   Next if you're like me using the ${PKG_SYSCONFBASE}/openldap/ldap.conf file, telling the client libs where to find the cert file is enough, we don't have to put it in the nss/pam config: 
           
     URI         ldaps://my.server  
     TLS_CACERT  /etc/openssl/certs/openldap.pem      TLS_CACERT  /etc/openssl/certs/openldap.pem
           
   

Removed from v.1.2  
changed lines
  Added in v.1.3


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb