Difference between revisions of "LDAP"
Stuiterveer (talk | contribs) m (Added reference) |
Stuiterveer (talk | contribs) m (Change header levels) |
||
| Line 11: | Line 11: | ||
__TOC__ | __TOC__ | ||
| − | + | ||
| + | = Server = | ||
Server IP is '''192.168.1.177'''. | Server IP is '''192.168.1.177'''. | ||
The server uses an installation of OpenLDAP with [http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page phpLDAPAdmin]. The following settings were applied: | The server uses an installation of OpenLDAP with [http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page phpLDAPAdmin]. The following settings were applied: | ||
| − | + | == OpenLDAP == | |
* DNS domain name: '''ackspace.nl''' ("dc=ackspace,dc=nl") | * DNS domain name: '''ackspace.nl''' ("dc=ackspace,dc=nl") | ||
* Database backend: '''HDB''' | * Database backend: '''HDB''' | ||
| − | + | == phpLDAPAdmin == | |
| − | + | === /etc/phpldapadmin/config.php === | |
The following values were set/changed in '''/etc/phpldapadmin/config.php''': | The following values were set/changed in '''/etc/phpldapadmin/config.php''': | ||
$servers->setValue('server','host','0.0.0.0'); | $servers->setValue('server','host','0.0.0.0'); | ||
| Line 28: | Line 29: | ||
$servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl'); | $servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl'); | ||
| − | + | === SSH keys === | |
A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called '''openssh-lpk.ldif''' with the following content: | A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called '''openssh-lpk.ldif''' with the following content: | ||
dn: cn=openssh-lpk,cn=schema,cn=config | dn: cn=openssh-lpk,cn=schema,cn=config | ||
| Line 45: | Line 46: | ||
ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif | ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif | ||
| − | + | === /etc/phpldapadmin/templates/creation/posixAccount.xml === | |
Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, '''/etc/phpldapadmin/templates/creation/posixAccount.xml''' was changed to the following: | Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, '''/etc/phpldapadmin/templates/creation/posixAccount.xml''' was changed to the following: | ||
<?xml version="1.0" encoding="UTF-8" standalone="no"?> | <?xml version="1.0" encoding="UTF-8" standalone="no"?> | ||
| Line 151: | Line 152: | ||
</template> | </template> | ||
| − | + | = Client = | |
To obtain a user on the LDAP server, contact [[User:Stuiterveer|Stuiterveer]]. | To obtain a user on the LDAP server, contact [[User:Stuiterveer|Stuiterveer]]. | ||
| − | + | == PAM == | |
To use LDAP to sign in to Linux, install '''libpam-ldapd'''. When asked, fill in the details mentioned in [[LDAP#OpenLDAP]]. | To use LDAP to sign in to Linux, install '''libpam-ldapd'''. When asked, fill in the details mentioned in [[LDAP#OpenLDAP]]. | ||
| − | + | === /etc/nsswitch.conf === | |
Make sure LDAP is enabled for '''passwd''', '''group''' and '''shadow'''. To verify, check to see if the following is present (edit the existing entries if needed) in '''/etc/nsswitch.conf''': | Make sure LDAP is enabled for '''passwd''', '''group''' and '''shadow'''. To verify, check to see if the following is present (edit the existing entries if needed) in '''/etc/nsswitch.conf''': | ||
passwd: ldap compat | passwd: ldap compat | ||
| Line 164: | Line 165: | ||
This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around ''compat'' and ''ldap'' to first check locally and revert to LDAP on failure. | This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around ''compat'' and ''ldap'' to first check locally and revert to LDAP on failure. | ||
| − | + | === Home folder creation === | |
If you want to make sure a user folder is created upon login, add the following to the end of '''/etc/pam.d/common-session''': | If you want to make sure a user folder is created upon login, add the following to the end of '''/etc/pam.d/common-session''': | ||
session required pam_mkhomedir.so skel=/etc/skel umask=0022 | session required pam_mkhomedir.so skel=/etc/skel umask=0022 | ||
| − | + | === SSH key login === | |
Create a file that has the following content: | Create a file that has the following content: | ||
#!/bin/bash | #!/bin/bash | ||
| Line 178: | Line 179: | ||
AuthorizedKeysCommandUser nobody | AuthorizedKeysCommandUser nobody | ||
| − | + | === Restart services === | |
When you restart the '''nscd''' and '''ssh''' services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works. | When you restart the '''nscd''' and '''ssh''' services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works. | ||
| − | + | = References = | |
<references /> | <references /> | ||
Revision as of 20:56, 27 April 2018
| Project: LDAP | |
|---|---|
| Featured: | No |
| State | Active |
| Members | Stuiterveer |
| GitHub | No GitHub project defined. Add your project here. |
| Description | LDAP server for central logins using passwords or keypairs |
| Picture | |
| No project picture! Fill in form Picture or Upload a jpeg here | |
LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server.
NOTE: Currently logging in doesn't add you to any additional groups besides the group(s) that the user was added to in LDAP. This means sudo and other things are not (yet) possible with LDAP logins.
Contents
Server
Server IP is 192.168.1.177. The server uses an installation of OpenLDAP with phpLDAPAdmin. The following settings were applied:
OpenLDAP
- DNS domain name: ackspace.nl ("dc=ackspace,dc=nl")
- Database backend: HDB
phpLDAPAdmin
/etc/phpldapadmin/config.php
The following values were set/changed in /etc/phpldapadmin/config.php:
$servers->setValue('server','host','0.0.0.0');
$servers->setValue('server','base',array('dc=ackspace,dc=nl'));
$config->custom->appearance['hide_template_warning'] = true;
$servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl');
SSH keys
A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called openssh-lpk.ldif with the following content:
dn: cn=openssh-lpk,cn=schema,cn=config objectClass: olcSchemaConfig cn: openssh-lpk olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) )
The following command was then used to add support (make sure ldapscripts is installed):
ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
/etc/phpldapadmin/templates/creation/posixAccount.xml
Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, /etc/phpldapadmin/templates/creation/posixAccount.xml was changed to the following:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<title>Generic: User Account</title>
<visible>1</visible>
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
<objectClass id="ldapPublicKey"></objectClass>
</objectClasses>
<attributes>
<attribute id="givenName">
<display>First name</display>
<icon>ldap-uid.png</icon>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sn">
<display>Last name</display>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<order>2</order>
<page>1</page>
</attribute>
<attribute id="cn">
<display>Common Name</display>
<order>3</order>
<page>1</page>
</attribute>
<attribute id="uid">
<display>User ID</display>
<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
<display>Home directory</display>
<order>8</order>
<page>1</page>
</attribute>
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<readonly>1</readonly>
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
<display>GID Number</display>
<order>7</order>
<page>1</page>
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
<display>Login shell</display>
<order>9</order>
<page>1</page>
<type>select</type>
<value id="/bin/bash">/bin/bash</value>
<value id="/bin/sh">/bin/sh</value>
<value id="/bin/csh">/bin/csh</value>
<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
<display>Password</display>
<icon>lock.png</icon>
<order>5</order>
<page>1</page>
<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
<spacer>1</spacer>
<verify>1</verify>
</attribute>
<attribute id="sshPublicKey">
<display>SSH public key</display>
<icon>lock.png</icon>
<order>10</order>
<page>1</page>
</attribute>
</attributes>
</template>
Client
To obtain a user on the LDAP server, contact Stuiterveer.
PAM
To use LDAP to sign in to Linux, install libpam-ldapd. When asked, fill in the details mentioned in LDAP#OpenLDAP.
/etc/nsswitch.conf
Make sure LDAP is enabled for passwd, group and shadow. To verify, check to see if the following is present (edit the existing entries if needed) in /etc/nsswitch.conf:
passwd: ldap compat group: ldap compat shadow: ldap compat
This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around compat and ldap to first check locally and revert to LDAP on failure.
Home folder creation
If you want to make sure a user folder is created upon login, add the following to the end of /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
SSH key login
Create a file that has the following content:
#!/bin/bash
ldapsearch -h 192.168.1.177 -b "dc=ackspace,dc=nl" -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Make sure the file and all folders above it are owned by root:root and have umask 022.[1]
Then edit sshd_config to include the following:
AuthorizedKeysCommand /path/to/file AuthorizedKeysCommandUser nobody
Restart services
When you restart the nscd and ssh services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works.
