= central usermanagement = ...using ldap and kerberos = motivation = warum: * skaliert * sicherheit * komfort (single sign on) warum nicht: * fehlerquelle komplexitaet * gefahr single point of failure / break in -> infrastruktur! = theorie = recommended reading: * http://www.openinput.com/auth-howto/index.html * http://www.pdc.kth.se/heimdal/ * http://www.openldap.org/doc/admin23/ architektur: * trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service. design decisions: * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap. * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal). * eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt. = required software = zutaten am server: * heimdal kerberos (ldap), alternativen: mit, shishi * openldap, alternativ: mysql, postgresql * wohlgepflegtes dns und reverse-dns * schwer empfohlen: replikation und redundanz {{{ sudo aptitude install slapd heimdal-kdc }}} zutaten am host: * libnss-ldap * pam-krb5 * sasl mit gssapi provider * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows) * kerberized client/serversoftware (zb. openssh, apache2) {{{ sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients }}} = vorbereitung: domain name service = config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;): aka "srv records rock! - for kerberos but not for ldap :(" config file /etc/krb5.conf auf allen hosts ident! was ist ein "canonical hostname"? zonefile mm-karton.com (snippet): {{{ $ORIGIN mm-karton.com. kerberos A 10.128.0.24 kerberos-1 A 10.128.0.25 ldap CNAME srv-vie-26.vie.mm-karton.com. ldap-1 CNAME srv-vie-27.vie.mm-karton.com. _kerberos TXT "MM-KARTON.COM" _kerberos-master._tcp SRV 10 1 88 kerberos _kerberos-master._udp SRV 10 1 88 kerberos _kpasswd._udp SRV 10 1 464 kerberos _kerberos-adm._tcp SRV 10 1 749 kerberos _kerberos._tcp SRV 10 1 88 kerberos _kerberos._udp SRV 10 1 88 kerberos _kerberos._tcp SRV 20 1 88 kerberos-1 _kerberos._udp SRV 20 1 88 kerberos-1 _ldap._tcp SRV 10 1 88 ldap _ldap._tcp SRV 20 1 88 ldap-1 }}} zonefile mm-karton.net (snippet), afaik heimdal specific: {{{ _kerberos TXT "MM-KARTON.COM" }}} = config am server = /etc/ldap/slapd.conf {{{ # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/hdb.schema TLSCACertificateFile /etc/ldap/ca_crt.pem TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 500 ####################################################################### # Specific Backend Directives for bdb: backend bdb checkpoint 512 30 ####################################################################### # main database database bdb suffix "dc=mm-karton,dc=com" rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 33554432 0 lastmod on index objectClass eq index cn,uid,displayName eq,sub,pres index krb5PrincipalName eq index associatedDomain pres,eq,sub index entryUUID,default,entryCSN eq # needed for syncrepl overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ####################################################################### # sasl config sasl-secprops minssf=0 security simple_bind=64 sasl-regexp uid=(.+),cn=.+,cn=auth ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM)) sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" ####################################################################### # access control # needed for certain auth stuff access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=krb5PrincipalName by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by anonymous auth access to attrs=userPassword by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by anonymous auth # Kerberos attributes only accessible to root/ldapmaster and the superadmins access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by * none # user info readable for nssproxy user access to dn.subtree="ou=users,dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read access to dn.subtree="ou=groups,dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read # all the rest access to dn.subtree="dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read }}} /etc/default/slapd {{{ # Default location of the slapd.conf file SLAPD_CONF= # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER="openldap" # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= # Configure if the slurpd daemon should be started. Possible values: # - yes: Always start slurpd # - no: Never start slurpd # - auto: Start slurpd if a replica option is found in slapd.conf (default) SLURPD_START=auto # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///" # Additional options to pass to slapd and slurpd SLAPD_OPTIONS="" SLURPD_OPTIONS="" export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab" [ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi }}} /etc/heimdal-kdc/kadmin.acl {{{ lefant/admin@MM-KARTON.COM all }}} /etc/heimdal-kdc/kdc.conf {{{ [kdc] database = { realm = MM-KARTON.COM dbname = ldap:dc=mm-karton,dc=com mkey_file = /var/lib/heimdal-kdc/m-key acl_file = /etc/heimdal-kdc/kadmind.acl } addresses = 10.128.0.24 }}} {{{ $ sudo kadmin -l init MY.REALM add lefant/admin }}} = config am host = /etc/libnss-ldap.conf {{{ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/ ldap_version 3 ssl start_tls tls_cacertfile /etc/ssl/certs/mmagca_crt.pem binddn uid=nssproxy,dc=mm-karton,dc=com bindpw XXXXXXXX scope sub pam_filter objectClass=posixAccount nss_base_passwd ou=users,dc=mm-karton,dc=com nss_base_group ou=groups,dc=mm-karton,dc=com # Search timelimit timelimit 10 # Bind/connect timelimit bind_timelimit 2 pam_min_uid 10000 pam_max_uid 11000 nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 3 nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope }}} /etc/nsswitch.conf {{{ passwd: files ldap group: files ldap shadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis }}} /etc/krb5.conf {{{ [libdefaults] default_realm = MM-KARTON.COM dns_lookup_realm = yes [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 10h renew_lifetime = 10h forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } [domain_realm] srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM [realms] MMK.MMDOM.NET = { kdc = DC-VIE-50 kpasswd_server = DC-VIE-50 auth_to_local_names = { lefant = invaliduser unki = invaliduser } } MM-KARTON.COM = { admin_server = kerberos.mm-karton.com auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET// auth_to_local = DEFAULT } }}} /etc/pam.d/common-account {{{ account required pam_access.so account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 account required pam_unix.so }}} /etc/pam.d/common-auth {{{ auth optional pam_group.so auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass auth required pam_unix.so try_first_pass }}} /etc/pam.d/common-session {{{ session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 session required pam_unix.so }}} restrict logins to certain users: /etc/security/access.conf {{{ # first, to avoid delays when network is still unavailable +:ALL:LOCAL +:root:ALL # remote users and groups +:bofh:ALL # deny everything else -:ALL:ALL }}} /etc/adduser.conf (snippet) {{{ # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically # allocated user accounts/groups. FIRST_UID=1000 LAST_UID=19999 }}} ldap client config (administration): /etc/ldap/ldap.conf {{{ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/ ssl start_tls tls_cacert /etc/ssl/certs/ca_crt.pem }}} ldapwhoami, ldapsearch sudo, nopasswd, weil solches haben wir ja nicht... /etc/sudoers {{{ lefant ALL=(ALL) NOPASSWD:ALL }}} = single sign on fuer applikationen (gssapi support, das grosse fragezeichen) = /etc/ssh/sshd_config (snippet) {{{ GSSAPIAuthentication yes GSSAPIKeyExchange yes }}} /etc/ssh/ssh_config (snippet) {{{ host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes }}} firefox: out-of-the-box! apache: (apt-get install libapache2-mod-auth-kerb) config snippet {{{ AuthType Kerberos AuthName "MM Login (use windows login *without* mm\ prefix)" KrbServiceName HTTP Krb5Keytab /etc/apache2/keytab KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM AuthGroupFile /etc/wwwusers Require group NocUsers Order deny,allow Deny from all Allow from noc.mm-karton.com Satisfy any }}} = misc stuff = * tcpdump * strace * $HOME/.k5login