-= central usermanagement =
-...using ldap and kerberos
+# central usermanagement
+
+...using ldap and kerberos
-= motivation =
+# motivation
warum:
- * skaliert
- * sicherheit
- * komfort (single sign on)
+* skaliert
+* sicherheit
+* komfort (single sign on)
warum nicht:
- * fehlerquelle komplexitaet
- * gefahr single point of failure / break in
+* fehlerquelle komplexitaet
+* gefahr single point of failure / break in
-> infrastruktur!
-
-= theorie =
+# theorie
recommended reading:
- * http://www.openinput.com/auth-howto/index.html
- * http://www.pdc.kth.se/heimdal/
- * http://www.openldap.org/doc/admin23/
+* [[http://www.openinput.com/auth-howto/index.html|http://www.openinput.com/auth-howto/index.html]]
+* [[http://www.pdc.kth.se/heimdal/|http://www.pdc.kth.se/heimdal/]]
+* [[http://www.openldap.org/doc/admin23/|http://www.openldap.org/doc/admin23/]]
architektur:
- * trusted third party, der KDC. hat gemeinsames secret mit allen
- hosts/services/usern. "principals". generiert auf anfrage ticket mit
- zeit, ip, und welcher user zu welchem service.
+* trusted third party, der KDC. hat gemeinsames secret mit allen hosts/services/usern. "principals". generiert auf anfrage ticket mit zeit, ip, und welcher user zu welchem service.
design decisions:
- * keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
- * kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
- * eigene ldap range fuer uid/groupid, root und systemuser bleiben
- lokal falls das netzwerk spinnt.
-
+* keine passwoerter im ldap, alles via kerberos, rueckwaertskompatibilitaet via pam_krb, nicht sasl oder pam_ldap.
+* kerberos datenbank im ldap, keine seperate replikation noetig (nur mit heimdal).
+* eigene ldap range fuer uid/groupid, root und systemuser bleiben lokal falls das netzwerk spinnt.
-= required software =
+# required software
zutaten am server:
- * heimdal kerberos (ldap), alternativen: mit, shishi
- * openldap, alternativ: mysql, postgresql
- * wohlgepflegtes dns und reverse-dns
- * schwer empfohlen: replikation und redundanz
-
-{{{
-sudo aptitude install slapd heimdal-kdc
-}}}
+* heimdal kerberos (ldap), alternativen: mit, shishi
+* openldap, alternativ: mysql, postgresql
+* wohlgepflegtes dns und reverse-dns
+* schwer empfohlen: replikation und redundanz
+[[!format txt """
+sudo aptitude install slapd heimdal-kdc
+"""]]
zutaten am host:
- * libnss-ldap
- * pam-krb5
- * sasl mit gssapi provider
- * richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
- * kerberized client/serversoftware (zb. openssh, apache2)
-
-{{{
-sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
-}}}
+* libnss-ldap
+* pam-krb5
+* sasl mit gssapi provider
+* richtige zeit, zb. openntpd (kann aber nicht stratum faken fuer windows)
+* kerberized client/serversoftware (zb. openssh, apache2)
+[[!format txt """
+sudo aptitude install libnss-ldap libpam-krb5 libsasl2-gssapi-mit heimdal-clients
+"""]]
-= vorbereitung: domain name service =
+# vorbereitung: domain name service
config im dns (da gibts uebrigens auch welche mit ldap/sql backend ;):
was ist ein "canonical hostname"?
zonefile mm-karton.com (snippet):
-{{{
+[[!format txt """
$ORIGIN mm-karton.com.
kerberos A 10.128.0.24
kerberos-1 A 10.128.0.25
_ldap._tcp SRV 10 1 88 ldap
_ldap._tcp SRV 20 1 88 ldap-1
-}}}
-
+"""]]
zonefile mm-karton.net (snippet), afaik heimdal specific:
-{{{
+[[!format txt """
_kerberos TXT "MM-KARTON.COM"
-}}}
+"""]]
-
-
-= config am server =
+# config am server
/etc/ldap/slapd.conf
-{{{
+
+[[!format txt """
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
loglevel 0
-modulepath /usr/lib/ldap
-moduleload back_bdb
+modulepath /usr/lib/ldap
+moduleload back_bdb
moduleload syncprov
# The maximum number of entries that is returned for a search operation
#######################################################################
# Specific Backend Directives for bdb:
-backend bdb
+backend bdb
checkpoint 512 30
index objectClass eq
-index cn,uid,displayName eq,sub,pres
-index krb5PrincipalName eq
+index cn,uid,displayName eq,sub,pres
+index krb5PrincipalName eq
index associatedDomain pres,eq,sub
index entryUUID,default,entryCSN eq
by dn="cn=unki@mm-karton.com,dc=mm-karton,dc=com" write
by dn="cn=lefant@mm-karton.com,dc=mm-karton,dc=com" write
by dn="cn=ldap/srv-vie-27.vie.mm-karton.com@mm-karton.com,ou=kdc,dc=mm-karton,dc=com" read
-}}}
-
+"""]]
/etc/default/slapd
-{{{
+[[!format txt """
# Default location of the slapd.conf file
SLAPD_CONF=
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
SLAPD_PIDFILE=
-# Configure if the slurpd daemon should be started. Possible values:
+# Configure if the slurpd daemon should be started. Possible values:
# - yes: Always start slurpd
# - no: Never start slurpd
# - auto: Start slurpd if a replica option is found in slapd.conf (default)
export KRB5_KTNAME="FILE:/etc/ldap/ldap.keytab"
[ -L /var/run/ldapi ] || ln -s /var/run/slapd/ldapi /var/run/ldapi
-}}}
-
-
-
+"""]]
/etc/heimdal-kdc/kadmin.acl
-{{{
+[[!format txt """
lefant/admin@MM-KARTON.COM all
-}}}
-
+"""]]
/etc/heimdal-kdc/kdc.conf
-{{{
+[[!format txt """
[kdc]
database = {
realm = MM-KARTON.COM
acl_file = /etc/heimdal-kdc/kadmind.acl
}
addresses = 10.128.0.24
-}}}
+"""]]
-{{{
+[[!format txt """
$ sudo kadmin -l
init MY.REALM
add lefant/admin
-}}}
-
+"""]]
-
-= config am host =
+# config am host
/etc/libnss-ldap.conf
-{{{
+[[!format txt """
BASE dc=mm-karton, dc=com
URI ldap://ldap.mm-karton.com/,ldap://ldap-1.mm-karton.com/
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 3
nss_initgroups_ignoreusers arpwatch,asterisk,backup,bin,bind,clamav,cricket,daemon,Debian-exim,debianmirror,dovecot,fetchmail,ftp,games,gnats,identd,irc,list,lp,mail,man,messagebus,mysql,nagios,news,nobody,ntp,ntpd,nut,openvpn,pdns,proftpd,proxy,puppet,root,smmsp,smmta,smsd,snmp,snort,sshd,statd,sync,sys,uucp,www-data,zope
-}}}
-
+"""]]
/etc/nsswitch.conf
-{{{
+[[!format txt """
passwd: files ldap
group: files ldap
shadow: files
rpc: db files
netgroup: nis
-}}}
-
+"""]]
/etc/krb5.conf
-{{{
+[[!format txt """
[libdefaults]
default_realm = MM-KARTON.COM
dns_lookup_realm = yes
[logging]
- default = SYSLOG:NOTICE:DAEMON
- kdc = FILE:/var/log/kdc.log
- kadmind = FILE:/var/log/kadmind.log
+ default = SYSLOG:NOTICE:DAEMON
+ kdc = FILE:/var/log/kdc.log
+ kadmind = FILE:/var/log/kadmind.log
[appdefaults]
- pam = {
- ticket_lifetime = 10h
- renew_lifetime = 10h
- forwardable = true
- proxiable = false
- retain_after_close = false
- minimum_uid = 0
- debug = false
- }
+ pam = {
+ ticket_lifetime = 10h
+ renew_lifetime = 10h
+ forwardable = true
+ proxiable = false
+ retain_after_close = false
+ minimum_uid = 0
+ debug = false
+ }
[domain_realm]
srv-pof-30.pof.mmk.mmdom.net = MM-KARTON.COM
auth_to_local = RULE:[1:$1@$0](^.*@MMK.MMDOM.NET$)s/@MMK.MMDOM.NET//
auth_to_local = DEFAULT
}
-}}}
-
-
+"""]]
/etc/pam.d/common-account
-{{{
+[[!format txt """
account required pam_access.so
account sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
account sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
account required pam_unix.so
-}}}
-
+"""]]
/etc/pam.d/common-auth
-{{{
+[[!format txt """
auth optional pam_group.so
auth sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000 try_first_pass
auth sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000 try_first_pass
auth required pam_unix.so try_first_pass
-}}}
-
+"""]]
/etc/pam.d/common-session
-{{{
+[[!format txt """
session required pam_mkhomedir.so umask=0022 skel=/etc/mmskel
session sufficient pam_krb5.so forwardable realm=MMK.MMDOM.NET minimum_uid=20000
session sufficient pam_krb5.so forwardable realm=MM-KARTON.COM minimum_uid=20000
session required pam_unix.so
-}}}
-
-
-
+"""]]
restrict logins to certain users:
/etc/security/access.conf
-{{{
+[[!format txt """
# first, to avoid delays when network is still unavailable
+:ALL:LOCAL
+:root:ALL
# deny everything else
-:ALL:ALL
-}}}
-
-
-
+"""]]
/etc/adduser.conf (snippet)
-{{{
+[[!format txt """
# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically
# allocated user accounts/groups.
FIRST_UID=1000
LAST_UID=19999
-}}}
-
-
-
-
+"""]]
ldap client config (administration):
/etc/ldap/ldap.conf
-{{{
+[[!format txt """
BASE dc=mm-karton, dc=com
URI ldap://ldap.mm-karton.com/
ssl start_tls
tls_cacert /etc/ssl/certs/ca_crt.pem
-}}}
-
+"""]]
ldapwhoami, ldapsearch
-
-
sudo, nopasswd, weil solches haben wir ja nicht...
/etc/sudoers
-{{{
+[[!format txt """
lefant ALL=(ALL) NOPASSWD:ALL
-}}}
-
+"""]]
-
-= single sign on fuer applikationen (gssapi support, das grosse fragezeichen) =
+# single sign on fuer applikationen (gssapi support, das grosse fragezeichen)
/etc/ssh/sshd_config (snippet)
-{{{
+[[!format txt """
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
-}}}
-
+"""]]
/etc/ssh/ssh_config (snippet)
-{{{
+[[!format txt """
host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPITrustDns yes
-}}}
-
-
-
+"""]]
firefox: out-of-the-box!
-apache: (apt-get install libapache2-mod-auth-kerb)
-config snippet
-{{{
+apache: (apt-get install libapache2-mod-auth-kerb) config snippet
+[[!format txt """
<Location />
AuthType Kerberos
AuthName "MM Login (use windows login *without* mm\ prefix)"
Allow from noc.mm-karton.com
Satisfy any
</Location>
-}}}
-
+"""]]
+# misc stuff
-= misc stuff =
- * tcpdump
- * strace
- * $HOME/.k5login
\ No newline at end of file
+* tcpdump
+* strace
+* $HOME/.k5login
\ No newline at end of file