# central usermanagement ...using ldap and kerberos # motivation warum: * skaliert * sicherheit * komfort (single sign on) warum nicht: * fehlerquelle komplexitaet * gefahr single point of failure / break in -> infrastruktur! # theorie recommended reading: * [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]] * [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]] * [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]] architektur: * trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service. design decisions: * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap. * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal). * eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt. # required software zutaten am server: * heimdal kerberos (ldap), alternativen: mit, shishi * openldap, alternativ: mysql, postgresql * wohlgepflegtes dns und reverse-dns * schwer empfohlen: replikation und redundanz [[!format txt """ sudo aptitude install slapd heimdal-kdc """]] zutaten am host: * libnss-ldap * pam-krb5 * sasl mit gssapi provider * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows) * kerberized client/serversoftware (zb. openssh, apache2) [[!format txt """ sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients """]] # vorbereitung: domain name service config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;): aka "srv records rock! - for kerberos but not for ldap :(" config file /etc/krb5.conf auf allen hosts ident! was ist ein "canonical hostname"? zonefile mm-karton.com (snippet): [[!format txt """ $ORIGIN mm-karton.com. kerberos A 10.128.0.24 kerberos-1 A 10.128.0.25 ldap CNAME srv-vie-26.vie.mm-karton.com. ldap-1 CNAME srv-vie-27.vie.mm-karton.com. _kerberos TXT "MM-KARTON.COM" _kerberos-master._tcp SRV 10 1 88 kerberos _kerberos-master._udp SRV 10 1 88 kerberos _kpasswd._udp SRV 10 1 464 kerberos _kerberos-adm._tcp SRV 10 1 749 kerberos _kerberos._tcp SRV 10 1 88 kerberos _kerberos._udp SRV 10 1 88 kerberos _kerberos._tcp SRV 20 1 88 kerberos-1 _kerberos._udp SRV 20 1 88 kerberos-1 _ldap._tcp SRV 10 1 88 ldap _ldap._tcp SRV 20 1 88 ldap-1 """]] zonefile mm-karton.net (snippet), afaik heimdal specific: [[!format txt """ _kerberos TXT "MM-KARTON.COM" """]] # config am server /etc/ldap/slapd.conf [[!format txt """ # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/hdb.schema TLSCACertificateFile /etc/ldap/ca_crt.pem TLSCertificateFile /etc/ldap/ldap.mm-karton.com_crt.pem TLSCertificateKeyFile /etc/ldap/ldap.mm-karton.com_key.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 500 ####################################################################### # Specific Backend Directives for bdb: backend bdb checkpoint 512 30 ####################################################################### # main database database bdb suffix "dc=mm-karton,dc=com" rootdn "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 33554432 0 lastmod on index objectClass eq index cn,uid,displayName eq,sub,pres index krb5PrincipalName eq index associatedDomain pres,eq,sub index entryUUID,default,entryCSN eq # needed for syncrepl overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 limits dn.exact="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ####################################################################### # sasl config sasl-secprops minssf=0 security simple_bind=64 sasl-regexp uid=(.+),cn=.+,cn=auth ldap:///dc=mm-karton,dc=com??sub?(|(uid=$1)(krb5PrincipalName=$1@MM-KARTON.COM)) sasl-regexp "=0" "cn=ldapmaster@mm-karton.com,dc=mm-karton,dc=com" ####################################################################### # access control # needed for certain auth stuff access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=krb5PrincipalName by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by anonymous auth access to attrs=userPassword by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by anonymous auth # Kerberos attributes only accessible to root/ldapmaster and the superadmins access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmName by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by * none # user info readable for nssproxy user access to dn.subtree="ou=users,dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read access to dn.subtree="ou=groups,dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read by dn="uid=nssproxy,dc=mm-karton,dc=com" read # all the rest access to dn.subtree="dc=mm-karton,dc=com" by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read """]] /etc/default/slapd [[!format txt """ # Default location of the slapd.conf file SLAPD_CONF= # System account to run the slapd server under. If empty the server # will run as root. SLAPD_USER="openldap" # System group to run the slapd server under. If empty the server will # run in the primary group of its user. SLAPD_GROUP="openldap" # Path to the pid file of the slapd server. If not set the init.d script # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) SLAPD_PIDFILE= # Configure if the slurpd daemon should be started. Possible values: # - yes: Always start slurpd # - no: Never start slurpd # - auto: Start slurpd if a replica option is found in slapd.conf (default) SLURPD_START=auto # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldap://10.128.4.36/ ldapi:///" # Additional options to pass to slapd and slurpd SLAPD_OPTIONS="" SLURPD_OPTIONS="" export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab" [ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi """]] /etc/heimdal-kdc/kadmin.acl [[!format txt """ lefant/admin@MM-KARTON.COM all """]] /etc/heimdal-kdc/kdc.conf [[!format txt """ [kdc] database = { realm = MM-KARTON.COM dbname = ldap:dc=mm-karton,dc=com mkey_file = /var/lib/heimdal-kdc/m-key acl_file = /etc/heimdal-kdc/kadmind.acl } addresses = 10.128.0.24 """]] [[!format txt """ $ sudo kadmin -l init MY.REALM add lefant/admin """]] # config am host /etc/libnss-ldap.conf [[!format txt """ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/ ldap_version 3 ssl start_tls tls_cacertfile /etc/ssl/certs/mmagca_crt.pem binddn uid=nssproxy,dc=mm-karton,dc=com bindpw XXXXXXXX scope sub pam_filter objectClass=posixAccount nss_base_passwd ou=users,dc=mm-karton,dc=com nss_base_group ou=groups,dc=mm-karton,dc=com # Search timelimit timelimit 10 # Bind/connect timelimit bind_timelimit 2 pam_min_uid 10000 pam_max_uid 11000 nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 3 nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope """]] /etc/nsswitch.conf [[!format txt """ passwd: files ldap group: files ldap shadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis """]] /etc/krb5.conf [[!format txt """ [libdefaults] default_realm = MM-KARTON.COM dns_lookup_realm = yes [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 10h renew_lifetime = 10h forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } [domain_realm] srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM [realms] MMK.MMDOM.NET = { kdc = DC-VIE-50 kpasswd_server = DC-VIE-50 auth_to_local_names = { lefant = invaliduser unki = invaliduser } } MM-KARTON.COM = { admin_server = kerberos.mm-karton.com auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET// auth_to_local = DEFAULT } """]] /etc/pam.d/common-account [[!format txt """ account required pam_access.so account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 account required pam_unix.so """]] /etc/pam.d/common-auth [[!format txt """ auth optional pam_group.so auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass auth required pam_unix.so try_first_pass """]] /etc/pam.d/common-session [[!format txt """ session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 session required pam_unix.so """]] restrict logins to certain users: /etc/security/access.conf [[!format txt """ # first, to avoid delays when network is still unavailable +:ALL:LOCAL +:root:ALL # remote users and groups +:bofh:ALL # deny everything else -:ALL:ALL """]] /etc/adduser.conf (snippet) [[!format txt """ # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically # allocated user accounts/groups. FIRST_UID=1000 LAST_UID=19999 """]] ldap client config (administration): /etc/ldap/ldap.conf [[!format txt """ BASE dc=mm-karton, dc=com URI ldap://ldap.mm-karton.com/ ssl start_tls tls_cacert /etc/ssl/certs/ca_crt.pem """]] ldapwhoami, ldapsearch sudo, nopasswd, weil solches haben wir ja nicht... /etc/sudoers [[!format txt """ lefant ALL=(ALL) NOPASSWD:ALL """]] # single sign on fuer applikationen (gssapi support, das grosse fragezeichen) /etc/ssh/sshd_config (snippet) [[!format txt """ GSSAPIAuthentication yes GSSAPIKeyExchange yes """]] /etc/ssh/ssh_config (snippet) [[!format txt """ host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPITrustDns yes """]] firefox: out-of-the-box! apache: (apt-get install libapache2-mod-auth-kerb) config snippet [[!format txt """ AuthType Kerberos AuthName "MM Login (use windows login *without* mm\ prefix)" KrbServiceName HTTP Krb5Keytab /etc/apache2/keytab KrbAuthRealms MMK.MMDOM.NET MM-KARTON.COM AuthGroupFile /etc/wwwusers Require group NocUsers Order deny,allow Deny from all Allow from noc.mm-karton.com Satisfy any """]] # misc stuff * tcpdump * strace * $HOME/.k5login