initial import from moinmoin

[debienna.git] / KerberosAuthenticationInfrastructure / index.mdwn

= central usermanagement =\r
\r
...using ldap and kerberos\r
\r
\r
\r
= motivation =\r
\r
warum:\r
 * skaliert\r
 * sicherheit\r
 * komfort (single sign on)\r
\r
warum nicht:\r
 * fehlerquelle komplexitaet\r
 * gefahr single point of failure / break in\r
\r
-> infrastruktur!\r
\r
\r
\r
= theorie =\r
\r
recommended reading:\r
 * http://www.openinput.com/auth-howto/index.html\r
 * http://www.pdc.kth.se/heimdal/\r
 * http://www.openldap.org/doc/admin23/\r
\r
architektur:\r
 * trusted third party, der KDC. hat gemeinsames secret mit allen\r
 hosts/services/usern. "principals". generiert auf anfrage ticket mit\r
 zeit, ip, und welcher user zu welchem service.\r
\r
design decisions:\r
 * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.\r
 * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).\r
 * eigene ldap range fuer uid/groupid, root und systemuser bleiben\r
 lokal falls das netzwerk spinnt.\r
\r
\r
\r
= required software =\r
\r
zutaten am server:\r
 * heimdal kerberos (ldap), alternativen: mit, shishi\r
 * openldap, alternativ: mysql, postgresql\r
 * wohlgepflegtes dns und reverse-dns\r
 * schwer empfohlen: replikation und redundanz\r
\r
{{{\r
sudo aptitude install slapd heimdal-kdc\r
}}}\r
\r
\r
zutaten am host:\r
 * libnss-ldap\r
 * pam-krb5\r
 * sasl mit gssapi provider\r
 * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)\r
 * kerberized client/serversoftware (zb. openssh, apache2)\r
\r
{{{\r
sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients\r
}}}\r
\r
\r
\r
= vorbereitung: domain name service =\r
\r
config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):\r
\r
aka "srv records rock! - for kerberos but not for ldap :("\r
\r
config file /etc/krb5.conf auf allen hosts ident!\r
\r
was ist ein "canonical hostname"?\r
\r
zonefile mm-karton.com (snippet):\r
{{{\r
$ORIGIN mm-karton.com.\r
kerberos                A       10.128.0.24\r
kerberos-1              A       10.128.0.25\r
ldap                    CNAME   srv-vie-26.vie.mm-karton.com.\r
ldap-1                  CNAME   srv-vie-27.vie.mm-karton.com.\r
\r
_kerberos               TXT     "MM-KARTON.COM"\r
_kerberos-master._tcp   SRV     10 1 88 kerberos\r
_kerberos-master._udp   SRV     10 1 88 kerberos\r
_kpasswd._udp           SRV     10 1 464 kerberos\r
_kerberos-adm._tcp      SRV     10 1 749 kerberos\r
_kerberos._tcp          SRV     10 1 88 kerberos\r
_kerberos._udp          SRV     10 1 88 kerberos\r
_kerberos._tcp          SRV     20 1 88 kerberos-1\r
_kerberos._udp          SRV     20 1 88 kerberos-1\r
\r
_ldap._tcp              SRV     10 1 88 ldap\r
_ldap._tcp              SRV     20 1 88 ldap-1\r
}}}\r
\r
zonefile mm-karton.net (snippet), afaik heimdal specific:\r
{{{\r
_kerberos               TXT             "MM-KARTON.COM"\r
}}}\r
\r
\r
\r
= config am server =\r
\r
/etc/ldap/slapd.conf\r
\r
{{{\r
# This is the main slapd configuration file. See slapd.conf(5) for more\r
# info on the configuration options.\r
\r
#######################################################################\r
# Global Directives:\r
\r
include         /etc/ldap/schema/core.schema\r
include         /etc/ldap/schema/cosine.schema\r
include         /etc/ldap/schema/nis.schema\r
include         /etc/ldap/schema/inetorgperson.schema\r
\r
include         /etc/ldap/schema/hdb.schema\r
\r
\r
TLSCACertificateFile /etc/ldap/ca_crt.pem\r
TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem\r
TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem\r
TLSCipherSuite HIGH:MEDIUM:+SSLv2\r
\r
\r
pidfile         /var/run/slapd/slapd.pid\r
argsfile        /var/run/slapd/slapd.args\r
\r
loglevel        0\r
\r
modulepath      /usr/lib/ldap\r
moduleload      back_bdb\r
moduleload      syncprov\r
\r
# The maximum number of entries that is returned for a search operation\r
sizelimit 500\r
\r
\r
\r
\r
#######################################################################\r
# Specific Backend Directives for bdb:\r
\r
backend         bdb\r
checkpoint 512 30\r
\r
\r
\r
#######################################################################\r
# main database\r
database       bdb\r
suffix         "dc=mm-karton,dc=com"\r
rootdn         "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"\r
\r
directory      "/var/lib/ldap"\r
dbconfig set_cachesize 0 33554432 0\r
lastmod         on\r
\r
\r
index objectClass eq\r
index   cn,uid,displayName eq,sub,pres\r
index   krb5PrincipalName eq\r
index associatedDomain pres,eq,sub\r
index entryUUID,default,entryCSN eq\r
\r
\r
# needed for syncrepl\r
overlay syncprov\r
syncprov-checkpoint 100 10\r
syncprov-sessionlog 100\r
\r
limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited\r
\r
\r
\r
\r
\r
\r
#######################################################################\r
# sasl config\r
\r
sasl-secprops minssf=0\r
security simple_bind=64\r
\r
sasl-regexp\r
    uid=(.+),cn=.+,cn=auth\r
    ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))\r
sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"\r
\r
\r
\r
\r
#######################################################################\r
# access control\r
\r
# needed for certain auth stuff\r
access to dn.base="" by * read\r
access to dn.base="cn=Subschema" by * read\r
\r
access to attrs=krb5PrincipalName\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by anonymous auth\r
\r
access to attrs=userPassword\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by anonymous auth\r
\r
\r
\r
# Kerberos attributes only accessible to root/ldapmaster and the superadmins\r
access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by * none\r
\r
\r
\r
# user info readable for nssproxy user\r
access to dn.subtree="ou=users,dc=mm-karton,dc=com"\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
access to dn.subtree="ou=groups,dc=mm-karton,dc=com"\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
    by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
\r
\r
\r
# all the rest\r
access to dn.subtree="dc=mm-karton,dc=com"\r
    by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
    by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
}}}\r
\r
/etc/default/slapd\r
{{{\r
# Default location of the slapd.conf file\r
SLAPD_CONF=\r
\r
# System account to run the slapd server under. If empty the server\r
# will run as root.\r
SLAPD_USER="openldap"\r
\r
# System group to run the slapd server under. If empty the server will\r
# run in the primary group of its user.\r
SLAPD_GROUP="openldap"\r
\r
# Path to the pid file of the slapd server. If not set the init.d script\r
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)\r
SLAPD_PIDFILE=\r
\r
# Configure if the slurpd daemon should be started. Possible values: \r
# - yes:   Always start slurpd\r
# - no:    Never start slurpd\r
# - auto:  Start slurpd if a replica option is found in slapd.conf (default)\r
SLURPD_START=auto\r
\r
# slapd normally serves ldap only on all TCP-ports 389. slapd can also\r
# service requests on TCP-port 636 (ldaps) and requests via unix\r
# sockets.\r
# Example usage:\r
SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"\r
\r
# Additional options to pass to slapd and slurpd\r
SLAPD_OPTIONS=""\r
SLURPD_OPTIONS=""\r
\r
export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"\r
\r
[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi\r
}}}\r
\r
\r
\r
/etc/heimdal-kdc/kadmin.acl\r
{{{\r
lefant/admin@MM-KARTON.COM all\r
}}}\r
\r
/etc/heimdal-kdc/kdc.conf\r
{{{\r
[kdc]\r
   database = {\r
      realm = MM-KARTON.COM\r
      dbname = ldap:dc=mm-karton,dc=com\r
      mkey_file = /var/lib/heimdal-kdc/m-key\r
      acl_file = /etc/heimdal-kdc/kadmind.acl\r
   }\r
   addresses = 10.128.0.24\r
}}}\r
\r
{{{\r
$ sudo kadmin -l\r
init MY.REALM\r
add lefant/admin\r
}}}\r
\r
\r
\r
= config am host =\r
\r
/etc/libnss-ldap.conf\r
{{{\r
BASE    dc=mm-karton, dc=com\r
URI     ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/\r
\r
ldap_version 3\r
ssl start_tls\r
tls_cacertfile /etc/ssl/certs/mmagca_crt.pem\r
\r
binddn uid=nssproxy,dc=mm-karton,dc=com\r
bindpw XXXXXXXX\r
\r
scope sub\r
pam_filter objectClass=posixAccount\r
nss_base_passwd ou=users,dc=mm-karton,dc=com\r
nss_base_group ou=groups,dc=mm-karton,dc=com\r
\r
# Search timelimit\r
timelimit 10\r
\r
# Bind/connect timelimit\r
bind_timelimit 2\r
\r
pam_min_uid 10000\r
pam_max_uid 11000\r
\r
nss_reconnect_tries 1\r
nss_reconnect_sleeptime 1\r
nss_reconnect_maxsleeptime 2\r
nss_reconnect_maxconntries 3\r
nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope\r
}}}\r
\r
/etc/nsswitch.conf\r
{{{\r
passwd:         files ldap\r
group:          files ldap\r
shadow:         files\r
\r
hosts:          files dns\r
networks:       files\r
\r
protocols:      db files\r
services:       db files\r
ethers:         db files\r
rpc:            db files\r
\r
netgroup:       nis\r
}}}\r
\r
/etc/krb5.conf\r
{{{\r
[libdefaults]\r
   default_realm = MM-KARTON.COM\r
   dns_lookup_realm = yes\r
\r
[logging]\r
        default = SYSLOG:NOTICE:DAEMON\r
        kdc = FILE:/var/log/kdc.log\r
        kadmind = FILE:/var/log/kadmind.log\r
\r
[appdefaults]\r
        pam = {\r
                ticket_lifetime = 10h\r
                renew_lifetime = 10h\r
                forwardable = true\r
                proxiable = false\r
                retain_after_close = false\r
                minimum_uid = 0\r
                debug = false\r
        }\r
\r
[domain_realm]\r
   srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM\r
\r
[realms]\r
   MMK.MMDOM.NET = {\r
      kdc = DC-VIE-50\r
      kpasswd_server = DC-VIE-50\r
      auth_to_local_names = {\r
         lefant = invaliduser\r
         unki = invaliduser\r
      }\r
   }\r
   MM-KARTON.COM = {\r
      admin_server = kerberos.mm-karton.com\r
      auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//\r
      auth_to_local = DEFAULT\r
   }\r
}}}\r
\r
\r
/etc/pam.d/common-account\r
{{{\r
account required        pam_access.so\r
account sufficient      pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000\r
account sufficient      pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000\r
account required        pam_unix.so\r
}}}\r
\r
/etc/pam.d/common-auth\r
{{{\r
auth    optional        pam_group.so\r
auth    sufficient      pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass\r
auth    sufficient      pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass\r
auth    required        pam_unix.so try_first_pass\r
}}}\r
\r
/etc/pam.d/common-session\r
{{{\r
session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel\r
session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000\r
session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000\r
session required        pam_unix.so\r
}}}\r
\r
\r
\r
restrict logins to certain users:\r
\r
/etc/security/access.conf\r
{{{\r
# first, to avoid delays when network is still unavailable\r
+:ALL:LOCAL\r
+:root:ALL\r
\r
# remote users and groups\r
+:bofh:ALL\r
\r
# deny everything else\r
-:ALL:ALL\r
}}}\r
\r
\r
\r
/etc/adduser.conf (snippet)\r
{{{\r
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically\r
# allocated user accounts/groups.\r
FIRST_UID=1000\r
LAST_UID=19999\r
}}}\r
\r
\r
\r
\r
ldap client config (administration):\r
\r
/etc/ldap/ldap.conf\r
{{{\r
BASE    dc=mm-karton, dc=com\r
URI     ldap://ldap.mm-karton.com/\r
ssl start_tls\r
tls_cacert /etc/ssl/certs/ca_crt.pem\r
}}}\r
\r
ldapwhoami, ldapsearch\r
\r
\r
\r
sudo, nopasswd, weil solches haben wir ja nicht...\r
\r
/etc/sudoers\r
{{{\r
lefant ALL=(ALL) NOPASSWD:ALL\r
}}}\r
\r
\r
\r
= single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =\r
\r
/etc/ssh/sshd_config (snippet)\r
{{{\r
GSSAPIAuthentication yes\r
GSSAPIKeyExchange yes\r
}}}\r
\r
/etc/ssh/ssh_config (snippet)\r
{{{\r
host *\r
    GSSAPIAuthentication yes\r
    GSSAPIDelegateCredentials yes\r
    GSSAPITrustDns yes\r
}}}\r
\r
\r
\r
firefox: out-of-the-box!\r
\r
apache: (apt-get install libapache2-mod-auth-kerb)\r
config snippet\r
{{{\r
   <Location />\r
      AuthType Kerberos\r
      AuthName "MM Login (use windows login *without* mm\ prefix)"\r
      KrbServiceName HTTP\r
      Krb5Keytab /etc/apache2/keytab\r
      KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM\r
      AuthGroupFile /etc/wwwusers\r
      Require group NocUsers\r
      Order deny,allow\r
      Deny from all\r
      Allow from noc.mm-karton.com\r
      Satisfy any\r
   </Location>\r
}}}\r
\r
\r
\r
= misc stuff =\r
 * tcpdump\r
 * strace\r
 * $HOME/.k5login