1 = central usermanagement =
3 ...using ldap and kerberos
12 * komfort (single sign on)
15 * fehlerquelle komplexitaet
16 * gefahr single point of failure / break in
25 * http://www.openinput.com/auth-howto/index.html
26 * http://www.pdc.kth.se/heimdal/
27 * http://www.openldap.org/doc/admin23/
30 * trusted third party, der KDC. hat gemeinsames secret mit allen
31 hosts/services/usern. "principals". generiert auf anfrage ticket mit
32 zeit, ip, und welcher user zu welchem service.
35 * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
36 * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
37 * eigene ldap range fuer uid/groupid, root und systemuser bleiben
38 lokal falls das netzwerk spinnt.
45 * heimdal kerberos (ldap), alternativen: mit, shishi
46 * openldap, alternativ: mysql, postgresql
47 * wohlgepflegtes dns und reverse-dns
48 * schwer empfohlen: replikation und redundanz
51 sudo aptitude install slapd heimdal-kdc
58 * sasl mit gssapi provider
59 * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
60 * kerberized client/serversoftware (zb. openssh, apache2)
63 sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
68 = vorbereitung: domain name service =
70 config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):
72 aka "srv records rock! - for kerberos but not for ldap :("
74 config file /etc/krb5.conf auf allen hosts ident!
76 was ist ein "canonical hostname"?
78 zonefile mm-karton.com (snippet):
80 $ORIGIN mm-karton.com.
81 kerberos A 10.128.0.24
82 kerberos-1 A 10.128.0.25
83 ldap CNAME srv-vie-26.vie.mm-karton.com.
84 ldap-1 CNAME srv-vie-27.vie.mm-karton.com.
86 _kerberos TXT "MM-KARTON.COM"
87 _kerberos-master._tcp SRV 10 1 88 kerberos
88 _kerberos-master._udp SRV 10 1 88 kerberos
89 _kpasswd._udp SRV 10 1 464 kerberos
90 _kerberos-adm._tcp SRV 10 1 749 kerberos
91 _kerberos._tcp SRV 10 1 88 kerberos
92 _kerberos._udp SRV 10 1 88 kerberos
93 _kerberos._tcp SRV 20 1 88 kerberos-1
94 _kerberos._udp SRV 20 1 88 kerberos-1
96 _ldap._tcp SRV 10 1 88 ldap
97 _ldap._tcp SRV 20 1 88 ldap-1
100 zonefile mm-karton.net (snippet), afaik heimdal specific:
102 _kerberos TXT "MM-KARTON.COM"
112 # This is the main slapd configuration file. See slapd.conf(5) for more
113 # info on the configuration options.
115 #######################################################################
118 include /etc/ldap/schema/core.schema
119 include /etc/ldap/schema/cosine.schema
120 include /etc/ldap/schema/nis.schema
121 include /etc/ldap/schema/inetorgperson.schema
123 include /etc/ldap/schema/hdb.schema
126 TLSCACertificateFile /etc/ldap/ca_crt.pem
127 TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem
128 TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem
129 TLSCipherSuite HIGH:MEDIUM:+SSLv2
132 pidfile /var/run/slapd/slapd.pid
133 argsfile /var/run/slapd/slapd.args
137 modulepath /usr/lib/ldap
141 # The maximum number of entries that is returned for a search operation
147 #######################################################################
148 # Specific Backend Directives for bdb:
155 #######################################################################
158 suffix "dc=mm-karton,dc=com"
159 rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
161 directory "/var/lib/ldap"
162 dbconfig set_cachesize 0 33554432 0
167 index cn,uid,displayName eq,sub,pres
168 index krb5PrincipalName eq
169 index associatedDomain pres,eq,sub
170 index entryUUID,default,entryCSN eq
173 # needed for syncrepl
175 syncprov-checkpoint 100 10
176 syncprov-sessionlog 100
178 limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
185 #######################################################################
188 sasl-secprops minssf=0
189 security simple_bind=64
192 uid=(.+),cn=.+,cn=auth
193 ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))
194 sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
199 #######################################################################
202 # needed for certain auth stuff
203 access to dn.base="" by * read
204 access to dn.base="cn=Subschema" by * read
206 access to attrs=krb5PrincipalName
207 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
208 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
209 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
212 access to attrs=userPassword
213 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
214 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
215 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
220 # Kerberos attributes only accessible to root/ldapmaster and the superadmins
221 access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
222 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
223 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
224 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
229 # user info readable for nssproxy user
230 access to dn.subtree="ou=users,dc=mm-karton,dc=com"
231 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
232 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
233 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
234 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
235 access to dn.subtree="ou=groups,dc=mm-karton,dc=com"
236 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
237 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
238 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
239 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
240 access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
241 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
242 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
243 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
244 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
249 access to dn.subtree="dc=mm-karton,dc=com"
250 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
251 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
252 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
257 # Default location of the slapd.conf file
260 # System account to run the slapd server under. If empty the server
262 SLAPD_USER="openldap"
264 # System group to run the slapd server under. If empty the server will
265 # run in the primary group of its user.
266 SLAPD_GROUP="openldap"
268 # Path to the pid file of the slapd server. If not set the init.d script
269 # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
272 # Configure if the slurpd daemon should be started. Possible values:
273 # - yes: Always start slurpd
274 # - no: Never start slurpd
275 # - auto: Start slurpd if a replica option is found in slapd.conf (default)
278 # slapd normally serves ldap only on all TCP-ports 389. slapd can also
279 # service requests on TCP-port 636 (ldaps) and requests via unix
282 SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"
284 # Additional options to pass to slapd and slurpd
288 export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"
290 [ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi
295 /etc/heimdal-kdc/kadmin.acl
297 lefant/admin@MM-KARTON.COM all
300 /etc/heimdal-kdc/kdc.conf
304 realm = MM-KARTON.COM
305 dbname = ldap:dc=mm-karton,dc=com
306 mkey_file = /var/lib/heimdal-kdc/m-key
307 acl_file = /etc/heimdal-kdc/kadmind.acl
309 addresses = 10.128.0.24
322 /etc/libnss-ldap.conf
324 BASE dc=mm-karton, dc=com
325 URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/
329 tls_cacertfile /etc/ssl/certs/mmagca_crt.pem
331 binddn uid=nssproxy,dc=mm-karton,dc=com
335 pam_filter objectClass=posixAccount
336 nss_base_passwd ou=users,dc=mm-karton,dc=com
337 nss_base_group ou=groups,dc=mm-karton,dc=com
342 # Bind/connect timelimit
348 nss_reconnect_tries 1
349 nss_reconnect_sleeptime 1
350 nss_reconnect_maxsleeptime 2
351 nss_reconnect_maxconntries 3
352 nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope
375 default_realm = MM-KARTON.COM
376 dns_lookup_realm = yes
379 default = SYSLOG:NOTICE:DAEMON
380 kdc = FILE:/var/log/kdc.log
381 kadmind = FILE:/var/log/kadmind.log
385 ticket_lifetime = 10h
389 retain_after_close = false
395 srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM
400 kpasswd_server = DC-VIE-50
401 auth_to_local_names = {
407 admin_server = kerberos.mm-karton.com
408 auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//
409 auth_to_local = DEFAULT
414 /etc/pam.d/common-account
416 account required pam_access.so
417 account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
418 account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
419 account required pam_unix.so
422 /etc/pam.d/common-auth
424 auth optional pam_group.so
425 auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass
426 auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass
427 auth required pam_unix.so try_first_pass
430 /etc/pam.d/common-session
432 session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel
433 session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
434 session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
435 session required pam_unix.so
440 restrict logins to certain users:
442 /etc/security/access.conf
444 # first, to avoid delays when network is still unavailable
448 # remote users and groups
451 # deny everything else
457 /etc/adduser.conf (snippet)
459 # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
460 # allocated user accounts/groups.
468 ldap client config (administration):
472 BASE dc=mm-karton, dc=com
473 URI ldap://ldap.mm-karton.com/
475 tls_cacert /etc/ssl/certs/ca_crt.pem
478 ldapwhoami, ldapsearch
482 sudo, nopasswd, weil solches haben wir ja nicht...
486 lefant ALL=(ALL) NOPASSWD:ALL
491 = single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =
493 /etc/ssh/sshd_config (snippet)
495 GSSAPIAuthentication yes
496 GSSAPIKeyExchange yes
499 /etc/ssh/ssh_config (snippet)
502 GSSAPIAuthentication yes
503 GSSAPIDelegateCredentials yes
509 firefox: out-of-the-box!
511 apache: (apt-get install libapache2-mod-auth-kerb)
516 AuthName "MM Login (use windows login *without* mm\ prefix)"
518 Krb5Keytab /etc/apache2/keytab
519 KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM
520 AuthGroupFile /etc/wwwusers
521 Require group NocUsers
524 Allow from noc.mm-karton.com