LDAP

From Hackerspace ACKspace
Revision as of 02:18, 25 April 2018 by Stuiterveer (talk | contribs) (Wrong IP)
Jump to: navigation, search
Project: LDAP
Featured: No
State Active
Members Stuiterveer
GitHub No GitHub project defined. Add your project here.
Description LDAP server for central logins using passwords or keypairs
Picture
No project picture! Fill in form Picture or Upload a jpeg here

LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server.

NOTE: SSH keys don't yet work, in the meantime you can login using passwords if needed.

Server

Server IP is 192.168.1.177. The server uses an installation of OpenLDAP with phpLDAPAdmin. The following settings were applied:

OpenLDAP

  • DNS domain name: ackspace.nl ("dc=ackspace,dc=nl")
  • Database backend: HDB

phpLDAPAdmin

/etc/phpldapadmin/config.php

The following values were set/changed in /etc/phpldapadmin/config.php:

$servers->setValue('server','host','0.0.0.0');
$servers->setValue('server','base',array('dc=ackspace,dc=nl'));
$config->custom->appearance['hide_template_warning'] = true;

SSH keys

A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called openssh-lpk.ldif with the following content:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
  DESC 'MANDATORY: OpenSSH Public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
  DESC 'MANDATORY: OpenSSH LPK objectclass'
  MAY ( sshPublicKey $ uid )
  )

The following command was then used to add support (make sure ldapscripts is installed):

ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif

/etc/phpldapadmin/templates/creation/posixAccount.xml

Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, /etc/phpldapadmin/templates/creation/posixAccount.xml was changed to the following:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">

<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<title>Generic: User Account</title>
<visible>1</visible>

<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
<objectClass id="ldapPublicKey"></objectClass>
</objectClasses>

<attributes>
<attribute id="givenName">
    <display>First name</display>
    <icon>ldap-uid.png</icon>
    <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
    <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
    <order>1</order>
    <page>1</page>
</attribute>
<attribute id="sn">
    <display>Last name</display>
    <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
    <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
    <order>2</order>
    <page>1</page>
</attribute>
<attribute id="cn">
    <display>Common Name</display>
    <order>3</order>
    <page>1</page>
</attribute>
<attribute id="uid">
    <display>User ID</display>
    <onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
    <order>4</order>
    <page>1</page>
    <spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
    <display>Home directory</display>
    <order>8</order>
    <page>1</page>
</attribute>
<attribute id="uidNumber">
    <display>UID Number</display>
    <icon>terminal.png</icon>
    <order>6</order>
    <page>1</page>
    <readonly>1</readonly>
    <value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
    <display>GID Number</display>
    <order>7</order>
    <page>1</page>
    <value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
    <display>Login shell</display>
    <order>9</order>
    <page>1</page>
    <type>select</type>
    <value id="/bin/bash">/bin/bash</value>
    <value id="/bin/sh">/bin/sh</value>
    <value id="/bin/csh">/bin/csh</value>
    <value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
    <display>Password</display>
    <icon>lock.png</icon>
    <order>5</order>
    <page>1</page>
    <post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
    <spacer>1</spacer>
    <verify>1</verify>
</attribute>
<attribute id="sshPublicKey">
        <display>SSH public key</display>
        <icon>lock.png</icon>
        <order>10</order>
        <page>1</page>
</attribute>
</attributes>

</template>

Client

To obtain a user on the LDAP server, contact Stuiterveer.

PAM

To use LDAP to sign in to Linux, install libpam-ldapd. When asked, fill in the details mentioned in LDAP#OpenLDAP.

/etc/nsswitch.conf

Make sure LDAP is enabled for passwd, group and shadow. To verify, check to see if the following is present (edit the existing entries if needed) in /etc/nsswitch.conf:

passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around compat and ldap to first check locally and revert to LDAP on failure.

Home folder creation

If you want to make sure a user folder is created upon login, add the following to the end of /etc/pam.d/common-session:

session required        pam_mkhomedir.so skel=/etc/skel umask=0022

Restart service

When you restart the NSCD service you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works.