1 = central usermanagement =
\r
3 ...using ldap and kerberos
\r
12 * komfort (single sign on)
\r
15 * fehlerquelle komplexitaet
\r
16 * gefahr single point of failure / break in
\r
24 recommended reading:
\r
25 * http://www.openinput.com/auth-howto/index.html
\r
26 * http://www.pdc.kth.se/heimdal/
\r
27 * http://www.openldap.org/doc/admin23/
\r
30 * trusted third party, der KDC. hat gemeinsames secret mit allen
\r
31 hosts/services/usern. "principals". generiert auf anfrage ticket mit
\r
32 zeit, ip, und welcher user zu welchem service.
\r
35 * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
\r
36 * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
\r
37 * eigene ldap range fuer uid/groupid, root und systemuser bleiben
\r
38 lokal falls das netzwerk spinnt.
\r
42 = required software =
\r
45 * heimdal kerberos (ldap), alternativen: mit, shishi
\r
46 * openldap, alternativ: mysql, postgresql
\r
47 * wohlgepflegtes dns und reverse-dns
\r
48 * schwer empfohlen: replikation und redundanz
\r
51 sudo aptitude install slapd heimdal-kdc
\r
58 * sasl mit gssapi provider
\r
59 * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
\r
60 * kerberized client/serversoftware (zb. openssh, apache2)
\r
63 sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
\r
68 = vorbereitung: domain name service =
\r
70 config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):
\r
72 aka "srv records rock! - for kerberos but not for ldap :("
\r
74 config file /etc/krb5.conf auf allen hosts ident!
\r
76 was ist ein "canonical hostname"?
\r
78 zonefile mm-karton.com (snippet):
\r
80 $ORIGIN mm-karton.com.
\r
81 kerberos A 10.128.0.24
\r
82 kerberos-1 A 10.128.0.25
\r
83 ldap CNAME srv-vie-26.vie.mm-karton.com.
\r
84 ldap-1 CNAME srv-vie-27.vie.mm-karton.com.
\r
86 _kerberos TXT "MM-KARTON.COM"
\r
87 _kerberos-master._tcp SRV 10 1 88 kerberos
\r
88 _kerberos-master._udp SRV 10 1 88 kerberos
\r
89 _kpasswd._udp SRV 10 1 464 kerberos
\r
90 _kerberos-adm._tcp SRV 10 1 749 kerberos
\r
91 _kerberos._tcp SRV 10 1 88 kerberos
\r
92 _kerberos._udp SRV 10 1 88 kerberos
\r
93 _kerberos._tcp SRV 20 1 88 kerberos-1
\r
94 _kerberos._udp SRV 20 1 88 kerberos-1
\r
96 _ldap._tcp SRV 10 1 88 ldap
\r
97 _ldap._tcp SRV 20 1 88 ldap-1
\r
100 zonefile mm-karton.net (snippet), afaik heimdal specific:
\r
102 _kerberos TXT "MM-KARTON.COM"
\r
107 = config am server =
\r
109 /etc/ldap/slapd.conf
\r
112 # This is the main slapd configuration file. See slapd.conf(5) for more
\r
113 # info on the configuration options.
\r
115 #######################################################################
\r
116 # Global Directives:
\r
118 include /etc/ldap/schema/core.schema
\r
119 include /etc/ldap/schema/cosine.schema
\r
120 include /etc/ldap/schema/nis.schema
\r
121 include /etc/ldap/schema/inetorgperson.schema
\r
123 include /etc/ldap/schema/hdb.schema
\r
126 TLSCACertificateFile /etc/ldap/ca_crt.pem
\r
127 TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem
\r
128 TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem
\r
129 TLSCipherSuite HIGH:MEDIUM:+SSLv2
\r
132 pidfile /var/run/slapd/slapd.pid
\r
133 argsfile /var/run/slapd/slapd.args
\r
137 modulepath /usr/lib/ldap
\r
138 moduleload back_bdb
\r
139 moduleload syncprov
\r
141 # The maximum number of entries that is returned for a search operation
\r
147 #######################################################################
\r
148 # Specific Backend Directives for bdb:
\r
155 #######################################################################
\r
158 suffix "dc=mm-karton,dc=com"
\r
159 rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
\r
161 directory "/var/lib/ldap"
\r
162 dbconfig set_cachesize 0 33554432 0
\r
166 index objectClass eq
\r
167 index cn,uid,displayName eq,sub,pres
\r
168 index krb5PrincipalName eq
\r
169 index associatedDomain pres,eq,sub
\r
170 index entryUUID,default,entryCSN eq
\r
173 # needed for syncrepl
\r
175 syncprov-checkpoint 100 10
\r
176 syncprov-sessionlog 100
\r
178 limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
\r
185 #######################################################################
\r
188 sasl-secprops minssf=0
\r
189 security simple_bind=64
\r
192 uid=(.+),cn=.+,cn=auth
\r
193 ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM))
\r
194 sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com"
\r
199 #######################################################################
\r
202 # needed for certain auth stuff
\r
203 access to dn.base="" by * read
\r
204 access to dn.base="cn=Subschema" by * read
\r
206 access to attrs=krb5PrincipalName
\r
207 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
208 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
209 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
212 access to attrs=userPassword
\r
213 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
214 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
215 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
220 # Kerberos attributes only accessible to root/ldapmaster and the superadmins
\r
221 access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName
\r
222 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
223 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
224 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
229 # user info readable for nssproxy user
\r
230 access to dn.subtree="ou=users,dc=mm-karton,dc=com"
\r
231 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
232 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
233 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
234 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
\r
235 access to dn.subtree="ou=groups,dc=mm-karton,dc=com"
\r
236 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
237 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
238 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
239 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
\r
240 access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
\r
241 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
242 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
243 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
244 by dn="uid=nssproxy,dc=mm-karton,dc=com" read
\r
249 access to dn.subtree="dc=mm-karton,dc=com"
\r
250 by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
\r
251 by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
\r
252 by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
\r
257 # Default location of the slapd.conf file
\r
260 # System account to run the slapd server under. If empty the server
\r
261 # will run as root.
\r
262 SLAPD_USER="openldap"
\r
264 # System group to run the slapd server under. If empty the server will
\r
265 # run in the primary group of its user.
\r
266 SLAPD_GROUP="openldap"
\r
268 # Path to the pid file of the slapd server. If not set the init.d script
\r
269 # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
\r
272 # Configure if the slurpd daemon should be started. Possible values:
\r
273 # - yes: Always start slurpd
\r
274 # - no: Never start slurpd
\r
275 # - auto: Start slurpd if a replica option is found in slapd.conf (default)
\r
278 # slapd normally serves ldap only on all TCP-ports 389. slapd can also
\r
279 # service requests on TCP-port 636 (ldaps) and requests via unix
\r
282 SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///"
\r
284 # Additional options to pass to slapd and slurpd
\r
288 export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"
\r
290 [ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi
\r
295 /etc/heimdal-kdc/kadmin.acl
\r
297 lefant/admin@MM-KARTON.COM all
\r
300 /etc/heimdal-kdc/kdc.conf
\r
304 realm = MM-KARTON.COM
\r
305 dbname = ldap:dc=mm-karton,dc=com
\r
306 mkey_file = /var/lib/heimdal-kdc/m-key
\r
307 acl_file = /etc/heimdal-kdc/kadmind.acl
\r
309 addresses = 10.128.0.24
\r
322 /etc/libnss-ldap.conf
\r
324 BASE dc=mm-karton, dc=com
\r
325 URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/
\r
329 tls_cacertfile /etc/ssl/certs/mmagca_crt.pem
\r
331 binddn uid=nssproxy,dc=mm-karton,dc=com
\r
335 pam_filter objectClass=posixAccount
\r
336 nss_base_passwd ou=users,dc=mm-karton,dc=com
\r
337 nss_base_group ou=groups,dc=mm-karton,dc=com
\r
342 # Bind/connect timelimit
\r
348 nss_reconnect_tries 1
\r
349 nss_reconnect_sleeptime 1
\r
350 nss_reconnect_maxsleeptime 2
\r
351 nss_reconnect_maxconntries 3
\r
352 nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope
\r
364 protocols: db files
\r
375 default_realm = MM-KARTON.COM
\r
376 dns_lookup_realm = yes
\r
379 default = SYSLOG:NOTICE:DAEMON
\r
380 kdc = FILE:/var/log/kdc.log
\r
381 kadmind = FILE:/var/log/kadmind.log
\r
385 ticket_lifetime = 10h
\r
386 renew_lifetime = 10h
\r
389 retain_after_close = false
\r
395 srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM
\r
400 kpasswd_server = DC-VIE-50
\r
401 auth_to_local_names = {
\r
402 lefant = invaliduser
\r
407 admin_server = kerberos.mm-karton.com
\r
408 auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//
\r
409 auth_to_local = DEFAULT
\r
414 /etc/pam.d/common-account
\r
416 account required pam_access.so
\r
417 account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
\r
418 account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
\r
419 account required pam_unix.so
\r
422 /etc/pam.d/common-auth
\r
424 auth optional pam_group.so
\r
425 auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass
\r
426 auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass
\r
427 auth required pam_unix.so try_first_pass
\r
430 /etc/pam.d/common-session
\r
432 session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel
\r
433 session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
\r
434 session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
\r
435 session required pam_unix.so
\r
440 restrict logins to certain users:
\r
442 /etc/security/access.conf
\r
444 # first, to avoid delays when network is still unavailable
\r
448 # remote users and groups
\r
451 # deny everything else
\r
457 /etc/adduser.conf (snippet)
\r
459 # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
\r
460 # allocated user accounts/groups.
\r
468 ldap client config (administration):
\r
470 /etc/ldap/ldap.conf
\r
472 BASE dc=mm-karton, dc=com
\r
473 URI ldap://ldap.mm-karton.com/
\r
475 tls_cacert /etc/ssl/certs/ca_crt.pem
\r
478 ldapwhoami, ldapsearch
\r
482 sudo, nopasswd, weil solches haben wir ja nicht...
\r
486 lefant ALL=(ALL) NOPASSWD:ALL
\r
491 = single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =
\r
493 /etc/ssh/sshd_config (snippet)
\r
495 GSSAPIAuthentication yes
\r
496 GSSAPIKeyExchange yes
\r
499 /etc/ssh/ssh_config (snippet)
\r
502 GSSAPIAuthentication yes
\r
503 GSSAPIDelegateCredentials yes
\r
509 firefox: out-of-the-box!
\r
511 apache: (apt-get install libapache2-mod-auth-kerb)
\r
516 AuthName "MM Login (use windows login *without* mm\ prefix)"
\r
517 KrbServiceName HTTP
\r
518 Krb5Keytab /etc/apache2/keytab
\r
519 KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM
\r
520 AuthGroupFile /etc/wwwusers
\r
521 Require group NocUsers
\r
524 Allow from noc.mm-karton.com
\r