+= central usermanagement =\r
+\r
+...using ldap and kerberos\r
+\r
+\r
+\r
+= motivation =\r
+\r
+warum:\r
+ * skaliert\r
+ * sicherheit\r
+ * komfort (single sign on)\r
+\r
+warum nicht:\r
+ * fehlerquelle komplexitaet\r
+ * gefahr single point of failure / break in\r
+\r
+-> infrastruktur!\r
+\r
+\r
+\r
+= theorie =\r
+\r
+recommended reading:\r
+ * http://www.openinput.com/auth-howto/index.html\r
+ * http://www.pdc.kth.se/heimdal/\r
+ * http://www.openldap.org/doc/admin23/\r
+\r
+architektur:\r
+ * trusted third party, der KDC. hat gemeinsames secret mit allen\r
+ hosts/services/usern. "principals". generiert auf anfrage ticket mit\r
+ zeit, ip, und welcher user zu welchem service.\r
+\r
+design decisions:\r
+ * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.\r
+ * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).\r
+ * eigene ldap range fuer uid/groupid, root und systemuser bleiben\r
+ lokal falls das netzwerk spinnt.\r
+\r
+\r
+\r
+= required software =\r
+\r
+zutaten am server:\r
+ * heimdal kerberos (ldap), alternativen: mit, shishi\r
+ * openldap, alternativ: mysql, postgresql\r
+ * wohlgepflegtes dns und reverse-dns\r
+ * schwer empfohlen: replikation und redundanz\r
+\r
+{{{\r
+sudo aptitude install slapd heimdal-kdc\r
+}}}\r
+\r
+\r
+zutaten am host:\r
+ * libnss-ldap\r
+ * pam-krb5\r
+ * sasl mit gssapi provider\r
+ * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)\r
+ * kerberized client/serversoftware (zb. openssh, apache2)\r
+\r
+{{{\r
+sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients\r
+}}}\r
+\r
+\r
+\r
+= vorbereitung: domain name service =\r
+\r
+config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):\r
+\r
+aka "srv records rock! - for kerberos but not for ldap :("\r
+\r
+config file /etc/krb5.conf auf allen hosts ident!\r
+\r
+was ist ein "canonical hostname"?\r
+\r
+zonefile mm-karton.com (snippet):\r
+{{{\r
+$ORIGIN mm-karton.com.\r
+kerberos A 10.128.0.24\r
+kerberos-1 A 10.128.0.25\r
+ldap CNAME srv-vie-26.vie.mm-karton.com.\r
+ldap-1 CNAME srv-vie-27.vie.mm-karton.com.\r
+\r
+_kerberos TXT "MM-KARTON.COM"\r
+_kerberos-master._tcp SRV 10 1 88 kerberos\r
+_kerberos-master._udp SRV 10 1 88 kerberos\r
+_kpasswd._udp SRV 10 1 464 kerberos\r
+_kerberos-adm._tcp SRV 10 1 749 kerberos\r
+_kerberos._tcp SRV 10 1 88 kerberos\r
+_kerberos._udp SRV 10 1 88 kerberos\r
+_kerberos._tcp SRV 20 1 88 kerberos-1\r
+_kerberos._udp SRV 20 1 88 kerberos-1\r
+\r
+_ldap._tcp SRV 10 1 88 ldap\r
+_ldap._tcp SRV 20 1 88 ldap-1\r
+}}}\r
+\r
+zonefile mm-karton.net (snippet), afaik heimdal specific:\r
+{{{\r
+_kerberos TXT "MM-KARTON.COM"\r
+}}}\r
+\r
+\r
+\r
+= config am server =\r
+\r
+/etc/ldap/slapd.conf\r
+\r
+{{{\r
+# This is the main slapd configuration file. See slapd.conf(5) for more\r
+# info on the configuration options.\r
+\r
+#######################################################################\r
+# Global Directives:\r
+\r
+include /etc/ldap/schema/core.schema\r
+include /etc/ldap/schema/cosine.schema\r
+include /etc/ldap/schema/nis.schema\r
+include /etc/ldap/schema/inetorgperson.schema\r
+\r
+include /etc/ldap/schema/hdb.schema\r
+\r
+\r
+TLSCACertificateFile /etc/ldap/ca_crt.pem\r
+TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem\r
+TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem\r
+TLSCipherSuite HIGH:MEDIUM:+SSLv2\r
+\r
+\r
+pidfile /var/run/slapd/slapd.pid\r
+argsfile /var/run/slapd/slapd.args\r
+\r
+loglevel 0\r
+\r
+modulepath /usr/lib/ldap\r
+moduleload back_bdb\r
+moduleload syncprov\r
+\r
+# The maximum number of entries that is returned for a search operation\r
+sizelimit 500\r
+\r
+\r
+\r
+\r
+#######################################################################\r
+# Specific Backend Directives for bdb:\r
+\r
+backend bdb\r
+checkpoint 512 30\r
+\r
+\r
+\r
+#######################################################################\r
+# main database\r
+database bdb\r
+suffix "dc=mm-karton,dc=com"\r
+rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"\r
+\r
+directory "/var/lib/ldap"\r
+dbconfig set_cachesize 0 33554432 0\r
+lastmod on\r
+\r
+\r
+index objectClass eq\r
+index cn,uid,displayName eq,sub,pres\r
+index krb5PrincipalName eq\r
+index associatedDomain pres,eq,sub\r
+index entryUUID,default,entryCSN eq\r
+\r
+\r
+# needed for syncrepl\r
+overlay syncprov\r
+syncprov-checkpoint 100 10\r
+syncprov-sessionlog 100\r
+\r
+limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited\r
+\r
+\r
+\r
+\r
+\r
+\r
+#######################################################################\r
+# sasl config\r
+\r
+sasl-secprops minssf=0\r
+security simple_bind=64\r
+\r
+sasl-regexp\r
+ uid=(.+),cn=.+,cn=auth\r
+ ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))\r
+sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"\r
+\r
+\r
+\r
+\r
+#######################################################################\r
+# access control\r
+\r
+# needed for certain auth stuff\r
+access to dn.base="" by * read\r
+access to dn.base="cn=Subschema" by * read\r
+\r
+access to attrs=krb5PrincipalName\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by anonymous auth\r
+\r
+access to attrs=userPassword\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by anonymous auth\r
+\r
+\r
+\r
+# Kerberos attributes only accessible to root/ldapmaster and the superadmins\r
+access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by * none\r
+\r
+\r
+\r
+# user info readable for nssproxy user\r
+access to dn.subtree="ou=users,dc=mm-karton,dc=com"\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
+access to dn.subtree="ou=groups,dc=mm-karton,dc=com"\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
+access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+ by dn="uid=nssproxy,dc=mm-karton,dc=com" read\r
+\r
+\r
+\r
+# all the rest\r
+access to dn.subtree="dc=mm-karton,dc=com"\r
+ by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write\r
+ by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read\r
+}}}\r
+\r
+/etc/default/slapd\r
+{{{\r
+# Default location of the slapd.conf file\r
+SLAPD_CONF=\r
+\r
+# System account to run the slapd server under. If empty the server\r
+# will run as root.\r
+SLAPD_USER="openldap"\r
+\r
+# System group to run the slapd server under. If empty the server will\r
+# run in the primary group of its user.\r
+SLAPD_GROUP="openldap"\r
+\r
+# Path to the pid file of the slapd server. If not set the init.d script\r
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)\r
+SLAPD_PIDFILE=\r
+\r
+# Configure if the slurpd daemon should be started. Possible values: \r
+# - yes: Always start slurpd\r
+# - no: Never start slurpd\r
+# - auto: Start slurpd if a replica option is found in slapd.conf (default)\r
+SLURPD_START=auto\r
+\r
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also\r
+# service requests on TCP-port 636 (ldaps) and requests via unix\r
+# sockets.\r
+# Example usage:\r
+SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"\r
+\r
+# Additional options to pass to slapd and slurpd\r
+SLAPD_OPTIONS=""\r
+SLURPD_OPTIONS=""\r
+\r
+export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"\r
+\r
+[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi\r
+}}}\r
+\r
+\r
+\r
+/etc/heimdal-kdc/kadmin.acl\r
+{{{\r
+lefant/admin@MM-KARTON.COM all\r
+}}}\r
+\r
+/etc/heimdal-kdc/kdc.conf\r
+{{{\r
+[kdc]\r
+ database = {\r
+ realm = MM-KARTON.COM\r
+ dbname = ldap:dc=mm-karton,dc=com\r
+ mkey_file = /var/lib/heimdal-kdc/m-key\r
+ acl_file = /etc/heimdal-kdc/kadmind.acl\r
+ }\r
+ addresses = 10.128.0.24\r
+}}}\r
+\r
+{{{\r
+$ sudo kadmin -l\r
+init MY.REALM\r
+add lefant/admin\r
+}}}\r
+\r
+\r
+\r
+= config am host =\r
+\r
+/etc/libnss-ldap.conf\r
+{{{\r
+BASE dc=mm-karton, dc=com\r
+URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/\r
+\r
+ldap_version 3\r
+ssl start_tls\r
+tls_cacertfile /etc/ssl/certs/mmagca_crt.pem\r
+\r
+binddn uid=nssproxy,dc=mm-karton,dc=com\r
+bindpw XXXXXXXX\r
+\r
+scope sub\r
+pam_filter objectClass=posixAccount\r
+nss_base_passwd ou=users,dc=mm-karton,dc=com\r
+nss_base_group ou=groups,dc=mm-karton,dc=com\r
+\r
+# Search timelimit\r
+timelimit 10\r
+\r
+# Bind/connect timelimit\r
+bind_timelimit 2\r
+\r
+pam_min_uid 10000\r
+pam_max_uid 11000\r
+\r
+nss_reconnect_tries 1\r
+nss_reconnect_sleeptime 1\r
+nss_reconnect_maxsleeptime 2\r
+nss_reconnect_maxconntries 3\r
+nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope\r
+}}}\r
+\r
+/etc/nsswitch.conf\r
+{{{\r
+passwd: files ldap\r
+group: files ldap\r
+shadow: files\r
+\r
+hosts: files dns\r
+networks: files\r
+\r
+protocols: db files\r
+services: db files\r
+ethers: db files\r
+rpc: db files\r
+\r
+netgroup: nis\r
+}}}\r
+\r
+/etc/krb5.conf\r
+{{{\r
+[libdefaults]\r
+ default_realm = MM-KARTON.COM\r
+ dns_lookup_realm = yes\r
+\r
+[logging]\r
+ default = SYSLOG:NOTICE:DAEMON\r
+ kdc = FILE:/var/log/kdc.log\r
+ kadmind = FILE:/var/log/kadmind.log\r
+\r
+[appdefaults]\r
+ pam = {\r
+ ticket_lifetime = 10h\r
+ renew_lifetime = 10h\r
+ forwardable = true\r
+ proxiable = false\r
+ retain_after_close = false\r
+ minimum_uid = 0\r
+ debug = false\r
+ }\r
+\r
+[domain_realm]\r
+ srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM\r
+\r
+[realms]\r
+ MMK.MMDOM.NET = {\r
+ kdc = DC-VIE-50\r
+ kpasswd_server = DC-VIE-50\r
+ auth_to_local_names = {\r
+ lefant = invaliduser\r
+ unki = invaliduser\r
+ }\r
+ }\r
+ MM-KARTON.COM = {\r
+ admin_server = kerberos.mm-karton.com\r
+ auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//\r
+ auth_to_local = DEFAULT\r
+ }\r
+}}}\r
+\r
+\r
+/etc/pam.d/common-account\r
+{{{\r
+account required pam_access.so\r
+account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000\r
+account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000\r
+account required pam_unix.so\r
+}}}\r
+\r
+/etc/pam.d/common-auth\r
+{{{\r
+auth optional pam_group.so\r
+auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass\r
+auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass\r
+auth required pam_unix.so try_first_pass\r
+}}}\r
+\r
+/etc/pam.d/common-session\r
+{{{\r
+session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel\r
+session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000\r
+session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000\r
+session required pam_unix.so\r
+}}}\r
+\r
+\r
+\r
+restrict logins to certain users:\r
+\r
+/etc/security/access.conf\r
+{{{\r
+# first, to avoid delays when network is still unavailable\r
++:ALL:LOCAL\r
++:root:ALL\r
+\r
+# remote users and groups\r
++:bofh:ALL\r
+\r
+# deny everything else\r
+-:ALL:ALL\r
+}}}\r
+\r
+\r
+\r
+/etc/adduser.conf (snippet)\r
+{{{\r
+# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically\r
+# allocated user accounts/groups.\r
+FIRST_UID=1000\r
+LAST_UID=19999\r
+}}}\r
+\r
+\r
+\r
+\r
+ldap client config (administration):\r
+\r
+/etc/ldap/ldap.conf\r
+{{{\r
+BASE dc=mm-karton, dc=com\r
+URI ldap://ldap.mm-karton.com/\r
+ssl start_tls\r
+tls_cacert /etc/ssl/certs/ca_crt.pem\r
+}}}\r
+\r
+ldapwhoami, ldapsearch\r
+\r
+\r
+\r
+sudo, nopasswd, weil solches haben wir ja nicht...\r
+\r
+/etc/sudoers\r
+{{{\r
+lefant ALL=(ALL) NOPASSWD:ALL\r
+}}}\r
+\r
+\r
+\r
+= single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =\r
+\r
+/etc/ssh/sshd_config (snippet)\r
+{{{\r
+GSSAPIAuthentication yes\r
+GSSAPIKeyExchange yes\r
+}}}\r
+\r
+/etc/ssh/ssh_config (snippet)\r
+{{{\r
+host *\r
+ GSSAPIAuthentication yes\r
+ GSSAPIDelegateCredentials yes\r
+ GSSAPITrustDns yes\r
+}}}\r
+\r
+\r
+\r
+firefox: out-of-the-box!\r
+\r
+apache: (apt-get install libapache2-mod-auth-kerb)\r
+config snippet\r
+{{{\r
+ <Location />\r
+ AuthType Kerberos\r
+ AuthName "MM Login (use windows login *without* mm\ prefix)"\r
+ KrbServiceName HTTP\r
+ Krb5Keytab /etc/apache2/keytab\r
+ KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM\r
+ AuthGroupFile /etc/wwwusers\r
+ Require group NocUsers\r
+ Order deny,allow\r
+ Deny from all\r
+ Allow from noc.mm-karton.com\r
+ Satisfy any\r
+ </Location>\r
+}}}\r
+\r
+\r
+\r
+= misc stuff =\r
+ * tcpdump\r
+ * strace\r
+ * $HOME/.k5login
\ No newline at end of file